It may be desirable to hide an Active Roles Administration Service instance in some scenarios. For example, having a dedicated job server can improve performance on other instances, but it would be desirable to block Active Roles clients from automatically connecting to this dedicated job server.
Active Roles clients find serviceConnectionPoint objects which are created by the Active Roles Administration Service in each managed Domain under the System/Aelita/Enterprise Directory Manager container. Each service periodically updates their own connection object, so deleting these connection objects will only temporarily hide the associated service instance.
Service connection points are created under the security context of the Active Roles service account. Denying the service account permission to create a service connection point in native Active Directory will effectively hide the service from the Connect To dialog in the Active Roles Console, but will not prevent anyone from connecting to the service if they type in the server FQDN manually.
In Active Directory Users and Computers or another native tool, set a a deny permission for the Active Roles service account on the ability to create child serviceConnectionPoint objects within the System/Aelita/Enterprise Directory Manager container in every managed domain.
To hide all service connections points from all Active Roles instances (when, for example, using a test Active Roles installation or when migrating to a new Active Roles version), set the edsaPublishEdmService attribute on a Managed Domain to FALSE to prevent the publication of all service points to that domain.