Role Title: L3 Active Directory Engineer / AD SME Location: - SFO, CA
Experience: 7 12+ years Domain: Identity & Access Management, Windows Infrastructure
Role Summary We are looking for a highly skilled L3 Active Directory (OnPremise) SME with deep experience in designing, managing, and troubleshooting complex AD environments. The candidate will be the highest escalation point for AD issues, lead architectural improvements, perform RCA, and ensure AD security, availability, and performance in a large enterprise environment.
Key Responsibilities
L3 Escalation & Technical Support
Serve as the toptier escalation for Active Directory and Windows infrastructure issues. Troubleshoot complex authentication, replication, DNS, GPO, policy processing, and trust issues. Perform advanced RCA, log analysis, and performance debugging. Develop L3 SOPs, KB articles, scripts, and automation for operations teams.
Active Directory Administration & Architecture
Manage and maintain large multidomain, multiforest onprem AD environments. Oversee FSMO roles, domain controllers (DC health), AD sites, replication topology. Install, upgrade, and harden domain controllers (physical/virtual). Implement AD schema updates, forest/domain functional level upgrades. Perform AD migration, consolidation, restructuring, and domain/forest trust design.
DNS, DHCP, & Windows Core Infrastructure
Troubleshoot AD-integrated DNS issues (zones, scavenging, forwarding, delegation). Manage and secure DHCP scopes, reservations, failover. Deep understanding of Kerberos, NTLM, LDAP, LDAPS, SPNs, tickets, token bloat. Ensure GPO performance tuning, inheritance control, WMI filters, controlled rollouts.
Security & Hardening
Implement AD security baselines, CIS benchmarks, and Microsoft security best practices. Periodically audit domain controllers, replication, delegations, privileged groups. Manage tiered admin model, least privilege, JustInTime (JIT) & JustEnoughAdministration (JEA). Enforce password policies, PAM/Privileged Identity controls, and secure service account management. Perform logs and event analysis through SIEM (Splunk, Sentinel, QRadar).
High Availability & DR
Build and validate disaster recovery procedures for AD, DNS, and DHCP. Maintain backup/restore strategies using tools like AD Recycle Bin, Authoritative Restore, System State, VM snapshots. Ensure site resiliency, replication health, and multisite availability.
Automation & Scripting
Automate AD operations using PowerShell (mandatory). Build scripts for: User provisioning/deprovisioning Group management GPO backup/restore ACL/permissions Health monitoring & reporting
Integration & Identity Services
Expertise integrating AD with: ADFS Azure AD Connect (Sync rules, writeback, filtering) SSO solutions LDAPbased applications PKI/Certification Services
Understand hybrid identity dependencies (even though this role is onprem focused).
Required Skills & Qualifications
7 12+ years handson experience in enterprise Active Directory environments. Deep knowledge of:
AD architecture, design & security DNS, DHCP, Sites & Services Kerberos, LDAP, GPO, trusts, replication
Experience troubleshooting large distributed Windows Server infrastructures. Strong PowerShell automation skills. Experience implementing AD hardening, security baselines, RBAC delegation. Knowledge of backup/restore and DR strategies for domain controllers. Strong understanding of networking fundamentals (TCP/IP, firewall rules, ports).
Preferred Skills Microsoft certifications (AZ800, AZ801, MS100/101, SC300, MCSA/MCSE). Experience with Azure AD and hybrid identity models. Experience with IAM/PAM tools (Delinea, CyberArk, BeyondTrust). Familiarity with virtualization (VMware/HyperV). Experience with enterprise SIEM and security monitoring tools.
Never miss an opportunity! Create an alert based on the job you applied for.
