Active Directory Engineer

About The Position

Requirements

• 5–10+ years of hands‑on experience with Active Directory, DNS, DHCP, GPO, and Windows Server.
• Deep expertise in AD cleanup, replication troubleshooting, and security hardening.
• Strong PowerShell skills for automation and bulk remediation.
• Experience with Azure AD / Entra ID, hybrid identity, and AAD Connect.
• Familiarity with SIEM, identity threat detection, and AD attack paths.
• Understanding of Kerberos, NTLM, LDAP, SAML, OAuth, and modern auth.

Nice To Haves

• Knowledge of Red Forest / ESAE, Tiered Admin Model, and Zero Trust identity.
• Certifications: Microsoft Identity & Access Administrator (SC‑300), Azure Administrator

Responsibilities

• Perform comprehensive AD cleanup including stale objects, unused OUs, orphaned SIDs, legacy GPOs, and deprecated configurations.
• Normalize and restructure OU hierarchy, naming standards, and attribute consistency.
• Identify and remediate duplicate SPNs, conflicting UPNs, and misconfigured service accounts.
• Clean up old domain controllers, decommission legacy forests/domains, and remove deprecated trust relationships.
• Conduct ACL cleanup to eliminate excessive permissions and privilege creep.
• Implement CIS/NIST/Microsoft security baselines for domain controllers and AD objects.
• Harden authentication by reducing NTLM, enforcing Kerberos protections, and implementing authentication policies/silos.
• Deploy and maintain Privileged Access Workstations (PAW) and tiered admin model (Tier 0/1/2).
• Remediate identity vulnerabilities such as DC Sync exposure, unconstrained delegation, Golden Ticket risks, and weak ACLs.
• Integrate AD logs with SIEM platforms (Sentinel, Splunk, QRadar) for continuous monitoring.
• Implement secure service account management, including gMSA adoption and rotation policies.
• Monitor and maintain AD replication topology, site links, and inter‑site connectivity.
• Troubleshoot replication failures (USN rollback, lingering objects, tombstone issues).
• Perform authoritative and non‑authoritative restores as needed.
• Ensure domain controllers are patched, hardened, and compliant with security standards.
• Validate SYSVOL health (DFSR), replication convergence, and GPO consistency.
• Audit and clean up legacy, conflicting, or redundant GPOs.
• Standardize GPO structure, naming, and versioning.
• Implement GPO security baselines for servers, workstations, and privileged accounts.
• Troubleshoot GPO processing issues and configuration drift.
• Support and optimize Azure AD Connect sync, attribute flows, and identity lifecycle.
• Remediate sync errors, duplicate identities, and hybrid identity conflicts.
• Implement Conditional Access, MFA enforcement, and modern authentication policies.
• Support migration toward Zero Trust identity and passwordless authentication.
• Maintain detailed documentation of AD topology, GPOs, replication, and security configurations.
• Develop identity governance standards, naming conventions, and lifecycle processes.
• Provide recommendations for AD modernization, consolidation, and long‑term stability.
• Participate in audits, compliance reviews, and security assessments.