There are mutliple managed domains with the same attribute names that contain different syntaxes. When the ActiveRoles Server Service starts, the attribute gets labeled as a specific syntax and can be different every time depending upon which domain is read first.
For example, Domain A contains a boolean, and Domain B has an attribute with the same name of syntax String, then ActiveRoles Server will sometimes specify that attribute as Boolean and other time as String, causing the other domain to become non-editable.
Deny Read Permission for the ActiveRoles Server Service Account in the domain that contains the undesired Attribute Syntax using ADSI Edit.
The following procedure explains how to specify a deny permission to an attribute: