Active Directory Engineer

Medvacon Life Sciences
US - Texas - Houston
View Company Profile / << Go Back

  • Job Type: Full time
  • 30 days ago

Job Description

**Role Summary**  

The Windows Active Directory Engineer is responsible for stabilizing, securing, and modernizing the enterprise Active Directory environment with a strong focus on directory cleanup, identity hygiene, replication health, and security hardening. This role ensures AD remains healthy, compliant, resilient, and aligned with Zero Trust identity principles across on-prem and hybrid cloud environments.  

**Key Responsibilities**

1. **Active Directory Cleanup \& Optimization**

* Perform comprehensive AD cleanup including stale objects, unused OUs, orphaned SIDs, legacy GPOs, and deprecated configurations.
* Normalize and restructure OU hierarchy, naming standards, and attribute consistency.
* Identify and remediate duplicate SPNs, conflicting UPNs, and misconfigured service accounts.
* Clean up old domain controllers, decommission legacy forests/domains, and remove deprecated trust relationships.
* Conduct ACL cleanup to eliminate excessive permissions and privilege creep.

1. **AD Security Hardening \& Identity Protection**

* Implement CIS/NIST/Microsoft security baselines for domain controllers and AD objects.
* Harden authentication by reducing NTLM, enforcing Kerberos protections, and implementing authentication policies/silos.
* Deploy and maintain Privileged Access Workstations (PAW) and tiered admin model (Tier 0/1/2).
* Remediate identity vulnerabilities such as DC Sync exposure, unconstrained delegation, Golden Ticket risks, and weak ACLs.
* Integrate AD logs with SIEM platforms (Sentinel, Splunk, QRadar) for continuous monitoring.
* Implement secure service account management, including gMSA adoption and rotation policies.

1. **AD Replication Health \& Domain Controller Management**

* Monitor and maintain AD replication topology, site links, and inter-site connectivity.
* Troubleshoot replication failures (USN rollback, lingering objects, tombstone issues).
* Perform authoritative and non-authoritative restores as needed.
* Ensure domain controllers are patched, hardened, and compliant with security standards.
* Validate SYSVOL health (DFSR), replication convergence, and GPO consistency.

1. **Group Policy Management \& Cleanup**

* Audit and clean up legacy, conflicting, or redundant GPOs.
* Standardize GPO structure, naming, and versioning.
* Implement GPO security baselines for servers, workstations, and privileged accounts.
* Troubleshoot GPO processing issues and configuration drift.

1. **Hybrid Identity \& Azure AD (Entra ID) Integration**

* Support and optimize Azure AD Connect sync, attribute flows, and identity lifecycle.
* Remediate sync errors, duplicate identities, and hybrid identity conflicts.
* Implement Conditional Access, MFA enforcement, and modern authentication policies.
* Support migration toward Zero Trust identity and passwordless authentication.

1. **Documentation, Governance \& Continuous Improvement**

* Maintain detailed documentation of AD topology, GPOs, replication, and security configurations.
* Develop identity governance standards, naming conventions, and lifecycle processes.
* Provide recommendations for AD modernization, consolidation, and long-term stability.
* Participate in audits, compliance reviews, and security assessments.

**Required Skills \& Experience**

* 5--10 years of hands-on experience with Active Directory, DNS, DHCP, GPO, and Windows Server.
* Deep expertise in AD cleanup, replication troubleshooting, and security hardening.
* Strong PowerShell skills for automation and bulk remediation.
* Experience with Azure AD / Entra ID, hybrid identity, and AAD Connect.
* Familiarity with SIEM, identity threat detection, and AD attack paths.
* Understanding of Kerberos, NTLM, LDAP, SAML, OAuth, and modern auth.

**Preferred Qualifications**

* Knowledge of Red Forest / ESAE, Tiered Admin Model, and Zero Trust identity.
* Certifications: Microsoft Identity \& Access Administrator (SC-300), Azure Administrator

Important Notice: Protecting Your Information

Medvacon Talent Acquisition only conducts initial video interviews via Microsoft Teams or Zoom. All communication will come from an email address ending in @medvacon.com. If you receive a message that seems suspicious or is not from our official domain, please report it immediately to [email protected].




Fast Track Upload