Role SummaryThe Windows Active Directory Engineer is responsible for stabilizing, securing, and modernizing the enterprise Active Directory environment with a strong focus on directory cleanup, identity hygiene, replication health, and security hardening. This role ensures AD remains healthy, compliant, resilient, and aligned with Zero Trust identity principles across on-prem and hybrid cloud environments.
Key Responsibilities- Active Directory Cleanup & Optimization
- Perform comprehensive AD cleanup including stale objects, unused OUs, orphaned SIDs, legacy GPOs, and deprecated configurations.
- Normalize and restructure OU hierarchy, naming standards, and attribute consistency.
- Identify and remediate duplicate SPNs, conflicting UPNs, and misconfigured service accounts.
- Clean up old domain controllers, decommission legacy forests/domains, and remove deprecated trust relationships.
- Conduct ACL cleanup to eliminate excessive permissions and privilege creep.
- AD Security Hardening & Identity Protection
- Implement CIS/NIST/Microsoft security baselines for domain controllers and AD objects.
- Harden authentication by reducing NTLM, enforcing Kerberos protections, and implementing authentication policies/silos.
- Deploy and maintain Privileged Access Workstations (PAW) and tiered admin model (Tier 0/1/2).
- Remediate identity vulnerabilities such as DC Sync exposure, unconstrained delegation, Golden Ticket risks, and weak ACLs.
- Integrate AD logs with SIEM platforms (Sentinel, Splunk, QRadar) for continuous monitoring.
- Implement secure service account management, including gMSA adoption and rotation policies.
- AD Replication Health & Domain Controller Management
- Monitor and maintain AD replication topology, site links, and inter-site connectivity.
- Troubleshoot replication failures (USN rollback, lingering objects, tombstone issues).
- Perform authoritative and non-authoritative restores as needed.
- Ensure domain controllers are patched, hardened, and compliant with security standards.
- Validate SYSVOL health (DFSR), replication convergence, and GPO consistency.
- Group Policy Management & Cleanup
- Audit and clean up legacy, conflicting, or redundant GPOs.
- Standardize GPO structure, naming, and versioning.
- Implement GPO security baselines for servers, workstations, and privileged accounts.
- Troubleshoot GPO processing issues and configuration drift.
- Hybrid Identity & Azure AD (Entra ID) Integration
- Support and optimize Azure AD Connect sync, attribute flows, and identity lifecycle.
- Remediate sync errors, duplicate identities, and hybrid identity conflicts.
- Implement Conditional Access, MFA enforcement, and modern authentication policies.
- Support migration toward Zero Trust identity and passwordless authentication.
- Documentation, Governance & Continuous Improvement
- Maintain detailed documentation of AD topology, GPOs, replication, and security configurations.
- Develop identity governance standards, naming conventions, and lifecycle processes.
- Provide recommendations for AD modernization, consolidation, and long-term stability.
- Participate in audits, compliance reviews, and security assessments.
Required Skills & Experience- 5-10+ years of hands-on experience with Active Directory, DNS, DHCP, GPO, and Windows Server.
- Deep expertise in AD cleanup, replication troubleshooting, and security hardening.
- Strong PowerShell skills for automation and bulk remediation.
- Experience with Azure AD / Entra ID, hybrid identity, and AAD Connect.
- Familiarity with SIEM, identity threat detection, and AD attack paths.
- Understanding of Kerberos, NTLM, LDAP, SAML, OAuth, and modern auth.
Preferred Qualifications- Knowledge of Red Forest / ESAE, Tiered Admin Model, and Zero Trust identity.
- Certifications: Microsoft Identity & Access Administrator (SC-300), Azure Administrator
