L3 Active Directory Engineer / AD SME

Position:1


Job Description: L3 Engineer / SME - Active Directory (On-Premise)


Role Title: L3 Active Directory Engineer / AD SME


Experience: 12+ years


Domain: Identity & Access Management, Windows Infrastructure

Role Summary


We are looking for a highly skilled L3 Active Directory (On-Premise) SME with deep experience in designing, managing, and troubleshooting complex AD environments. The candidate will be the highest escalation point for AD issues, lead architectural improvements, perform RCA, and ensure AD security, availability, and performance in a large enterprise environment.

Key Responsibilities


1. L3 Escalation & Technical Support


Serve as the top-tier escalation for Active Directory and Windows infrastructure issues.


Troubleshoot complex authentication, replication, DNS, GPO, policy processing, and trust issues.


Perform advanced RCA, log analysis, and performance debugging.


Develop L3 SOPs, KB articles, scripts, and automation for operations teams.

2. Active Directory Administration & Architecture


Manage and maintain large multi-domain, multi-forest on-prem AD environments.


Oversee FSMO roles, domain controllers (DC health), AD sites, replication topology.


Install, upgrade, and harden domain controllers (physical/virtual).


Implement AD schema updates, forest/domain functional level upgrades.


Perform AD migration, consolidation, restructuring, and domain/forest trust design.

3. DNS, DHCP, & Windows Core Infrastructure


Troubleshoot AD-integrated DNS issues (zones, scavenging, forwarding, delegation).


Manage and secure DHCP scopes, reservations, failover.


Deep understanding of Kerberos, NTLM, LDAP, LDAPS, SPNs, tickets, token bloat.


Ensure GPO performance tuning, inheritance control, WMI filters, controlled rollouts.

4 . Security & Hardening


Implement AD security baselines, CIS benchmarks, and Microsoft security best practices.


Periodically audit domain controllers, replication, delegations, privileged groups.


Manage tiered admin model, least privilege, Just-In-Time (JIT) & Just-Enough-Administration (JEA).


Enforce password policies, PAM/Privileged Identity controls, and secure service account management.


Perform logs and event analysis through SIEM (Splunk, Sentinel, QRadar).

5. High Availability & DR


Build and validate disaster recovery procedures for AD, DNS, and DHCP.


Maintain backup/restore strategies using tools like AD Recycle Bin, Authoritative Restore, System State, VM snapshots.


Ensure site resiliency, replication health, and multi-site availability.

6. Automation & Scripting


Automate AD operations using PowerShell (mandatory).


Build scripts for:


User provisioning/deprovisioning


Group management


GPO backup/restore


ACL/permissions


Health monitoring & reporting

7. Integration & Identity Services


Expertise integrating AD with:


ADFS


Azure AD Connect (Sync rules, writeback, filtering)


SSO solutions


LDAP-based applications


PKI/Certification Services

Understand hybrid identity dependencies (even though this role is on-prem focused).

Required Skills & Qualifications

7-12+ years hands-on experience in enterprise Active Directory environments.


Deep knowledge of:

AD architecture, design & security


DNS, DHCP, Sites & Services


Kerberos, LDAP, GPO, trusts, replication

Experience troubleshooting large distributed Windows Server infrastructures.


Strong PowerShell automation skills.


Experience implementing AD hardening, security baselines, RBAC delegation.


Knowledge of backup/restore and DR strategies for domain controllers.


Strong understanding of networking fundamentals (TCP/IP, firewall rules, ports).

Preferred Skills


Microsoft certifications (AZ-800, AZ-801, MS-100/101, SC-300, MCSA/MCSE).


Experience with Azure AD and hybrid identity models.


Experience with IAM/PAM tools (Delinea, CyberArk, BeyondTrust).


Familiarity with virtualization (VMware/Hyper-V).


Experience with enterprise SIEM and security monitoring tools.