Resolution
How do I prevent a new Domain Controller from receiving the Directory and Resource Administrator agent?
fact
Directory and Resource Administrator 6.x
fact
Directory and Resource Administrator 7.x
fix
The agent gets installed on the Domain Controller (DC) using the credentials of the Directory and Resource Administrator (DRA) service account. In theory, if you deny the service account access to the domain controller it would not be able to apply the agent service. You could deny access using Directory Security Administrator (DSA) on the Active Directory object for that domain controller as one possible method. Other methods could be to use NTFS permissions to deny the service account access to the administrative shares on the Domain Controller, or use registry security to deny access to the registry for the DRA service account on that DC.
IMPORTANT NOTE: This is an untested and unsupported environment. If the above is accomplished, the accuracy of the logon statistics would be questionable and any client workstations that hit that Domain Controller to try and find the DRA server via the agent, won't be able to.