All right, I'll bite on that. From a security perspective, the Principle of Least Privilege and the idea of Separation of Duties carried to a service account would suggest you don't run such an update from SQL Server. You keep SQL Server running with minimal privileges, especially to update the domain. Because you get control of the server / the SQL Server and you've gotten the domain, or at least elevated credentials on the domain.

The fact of the matter is that unless you're running SBS, you shouldn't be running SQL Server on a DC. And chances are the DCs are locked down tighter than the server where SQL Server is running (for instance, only domain admins can remote desktop into a DC because they're the only ones with domain admin rights). If you were running such a script, you would likely want it on a member server with minimal services running which has a security profile similar to a DC.