Active Directory Engineer

Role Summary

The Windows Active Directory Engineer is responsible for stabilizing, securing, and modernizing the enterprise Active Directory environment with a strong focus on directory cleanup, identity hygiene, replication health, and security hardening. This role ensures AD remains healthy, compliant, resilient, and aligned with Zero Trust identity principles across on‑prem and hybrid cloud environments.

Key Responsibilities

1. Active Directory Cleanup & Optimization

• Perform comprehensive AD cleanup including stale objects, unused OUs, orphaned SIDs, legacy GPOs, and deprecated configurations.
• Normalize and restructure OU hierarchy, naming standards, and attribute consistency.
• Identify and remediate duplicate SPNs, conflicting UPNs, and misconfigured service accounts.
• Clean up old domain controllers, decommission legacy forests/domains, and remove deprecated trust relationships.
• Conduct ACL cleanup to eliminate excessive permissions and privilege creep.

AD Security Hardening & Identity Protection

• Implement CIS/NIST/Microsoft security baselines for domain controllers and AD objects.
• Harden authentication by reducing NTLM, enforcing Kerberos protections, and implementing authentication policies/silos.
• Deploy and maintain Privileged Access Workstations (PAW) and tiered admin model (Tier 0/1/2).
• Remediate identity vulnerabilities such as DC Sync exposure, unconstrained delegation, Golden Ticket risks, and weak ACLs.
• Integrate AD logs with SIEM platforms (Sentinel, Splunk, QRadar) for continuous monitoring.
• Implement secure service account management, including gMSA adoption and rotation policies.

AD Replication Health & Domain Controller Management

• Monitor and maintain AD replication topology, site links, and inter‑site connectivity.
• Troubleshoot replication failures (USN rollback, lingering objects, tombstone issues).
• Perform authoritative and non‑authoritative restores as needed.
• Ensure domain controllers are patched, hardened, and compliant with security standards.
• Validate SYSVOL health (DFSR), replication convergence, and GPO consistency.

Group Policy Management & Cleanup

• Audit and clean up legacy, conflicting, or redundant GPOs.
• Standardize GPO structure, naming, and versioning.
• Implement GPO security baselines for servers, workstations, and privileged accounts.
• Troubleshoot GPO processing issues and configuration drift.

Hybrid Identity & Azure AD (Entra ID) Integration

• Support and optimize Azure AD Connect sync, attribute flows, and identity lifecycle.
• Remediate sync errors, duplicate identities, and hybrid identity conflicts.
• Implement Conditional Access, MFA enforcement, and modern authentication policies.
• Support migration toward Zero Trust identity and passwordless authentication.

Documentation, Governance & Continuous Improvement

• Maintain detailed documentation of AD topology, GPOs, replication, and security configurations.
• Develop identity governance standards, naming conventions, and lifecycle processes.
• Provide recommendations for AD modernization, consolidation, and long‑term stability.
• Participate in audits, compliance reviews, and security assessments.

Required Skills & Experience

• 5–10 years of hands‑on experience with Active Directory, DNS, DHCP, GPO, and Windows Server.
• Deep expertise in AD cleanup, replication troubleshooting, and security hardening.
• Strong PowerShell skills for automation and bulk remediation.
• Experience with Azure AD / Entra ID, hybrid identity, and AAD Connect.
• Familiarity with SIEM, identity threat detection, and AD attack paths.
• Understanding of Kerberos, NTLM, LDAP, SAML, OAuth, and modern auth.

Preferred Qualifications

• Knowledge of Red Forest / ESAE, Tiered Admin Model, and Zero Trust identity.
• Certifications: Microsoft Identity & Access Administrator (SC‑300), Azure Administrator