L3 Active Directory Engineer AD SME

Title: L3 Active Directory Engineer / AD SME

Duration : Contract

Location : SFO CA - Onsite

Experience: 7 12 years

Domain: Identity & Access Management Windows Infrastructure

Role Summary

We are looking for a highly skilled L3 Active Directory (On Premise) SME with deep experience in designing managing and troubleshooting complex AD environments. The candidate will be the highest escalation point for AD issues lead architectural improvements perform RCA and ensure AD security availability and performance in a large enterprise environment.

Key Responsibilities

1. L3 Escalation & Technical Support

Serve as the top tier escalation for Active Directory and Windows infrastructure issues.

Troubleshoot complex authentication replication DNS GPO policy processing and trust issues.

Perform advanced RCA log analysis and performance debugging.

Develop L3 SOPs KB articles scripts and automation for operations teams.

2. Active Directory Administration & Architecture

Manage and maintain large multi domain multi forest on prem AD environments.

Oversee FSMO roles domain controllers (DC health) AD sites replication topology.

Install upgrade and harden domain controllers (physical/virtual).

Implement AD schema updates forest/domain functional level upgrades.

Perform AD migration consolidation restructuring and domain/forest trust design.

3. DNS DHCP & Windows Core Infrastructure

Troubleshoot AD-integrated DNS issues (zones scavenging forwarding delegation).

Manage and secure DHCP scopes reservations failover.

Deep understanding of Kerberos NTLM LDAP LDAPS SPNs tickets token bloat.

Ensure GPO performance tuning inheritance control WMI filters controlled rollouts.

4. Security & Hardening

Implement AD security baselines CIS benchmarks and Microsoft security best practices.

Periodically audit domain controllers replication delegations privileged groups.

Manage tiered admin model least privilege Just In Time (JIT) & Just Enough Administration (JEA).

Enforce password policies PAM/Privileged Identity controls and secure service account management.

Perform logs and event analysis through SIEM (Splunk Sentinel QRadar).

5. High Availability & DR

Build and validate disaster recovery procedures for AD DNS and DHCP.

Maintain backup/restore strategies using tools like AD Recycle Bin Authoritative Restore System State VM snapshots.

Ensure site resiliency replication health and multi site availability.

6. Automation & Scripting

Automate AD operations using PowerShell (mandatory).

Build scripts for:

User provisioning/deprovisioning

Group management

GPO backup/restore

ACL/permissions

Health monitoring & reporting

7. Integration & Identity Services

Expertise integrating AD with:

ADFS

Azure AD Connect (Sync rules writeback filtering)

SSO solutions

LDAP based applications

PKI/Certification Services

Understand hybrid identity dependencies (even though this role is on prem focused).

Required Skills & Qualifications

7 12 years hands on experience in enterprise Active Directory environments.

Deep knowledge of:

AD architecture design & security

DNS DHCP Sites & Services

Kerberos LDAP GPO trusts replication

Experience troubleshooting large distributed Windows Server infrastructures.

Strong PowerShell automation skills.

Experience implementing AD hardening security baselines RBAC delegation.

Knowledge of backup/restore and DR strategies for domain controllers.

Strong understanding of networking fundamentals (TCP/IP firewall rules ports).

Preferred Skills

Microsoft certifications (AZ 800 AZ 801 MS 100/101 SC 300 MCSA/MCSE).

Experience with Azure AD and hybrid identity models.

Experience with IAM/PAM tools (Delinea CyberArk BeyondTrust).

Familiarity with virtualization (VMware/Hyper V).

Experience with enterprise SIEM and security monitoring tools.