Senior Active Directory Engineer

Riyadh, Saudi Arabia | Posted on 06/16/2026

Alnafitha is seekinga Senior Active Directory Engineer to deliver managed operations and to supporta major identity change initiative for a banking client in the Kingdom of Saudi Arabia. Working as the on-site technical liaison between the client and theglobal office, the engineer ensures the stability, security, and compliance ofthe client’s Active Directory environment while executing planned modernization work (such as forest consolidation, domain migration, schema upgrades, and security hardening) in parallel with business-as-usual operations.

• Monitor Active Directory health,including replication, FSMO roles, SYSVOL, event logs, and domain controller performance.
• Perform daily health checks(DCDIAG, REPADMIN, NETDIAG) and carry out proactive remediation.
• Manage DNS hygiene, including scavenging, stale records, and DNSSEC where used.
• Manage time synchronisation,ensuring the PDC emulator points to a reliable NTP source.
• Ensure backup success (system state and full forest) and periodically test restores.
• Apply OS, security, and AD cumulative updates during approved maintenance windows.

• Participate in joint planning withthe global office and local bank teams to define the change (e.g., forest consolidation, domain migration, schema upgrade, security overhaul, site topology redesign).
• Deploy new domain controllers orupgrade existing ones.
• Modify site links, subnets, and replication schedules.
• Restructure OUs and move objects(users, computers, groups) using tools such as ADMT, Power Shell, and Quest.
• Implement new GPOs or refactor existing ones.
• Configure or reconfigure foreand domain trusts.
• Migrate service accounts to gMSAwherever possible.
• Perform pre-change validation in alab or staging environment.
• Execute change during approved maintenance windows (nights / weekends, respecting banking hours).
• Validate post-change health androll back if success criteria are not met.

• Maintain an AD security baseline aligned with CIS / NIST and banking regulations (FFIEC, PCI, SWIFT CSP).
• Manage and monitor privileged groups (Enterprise Admins, Domain Admins, Schema Admins) for unauthorized changes.
• Review and clean up stale users,computers, and service accounts monthly.
• Enforce Kerberos AES encryption,restrict NTLM, and enable LDAP signing and channel binding.
• Manage and rotate service account credentials (LAPS for local admins, gMSA for services).
• Assist with privileged access management (PAWs, JIT, break-glass accounts).
• Ensure audit policies forward logsto the SIEM (Splunk, Sentinel, QRadar) and investigate anomalies.

• Act as the technical liaison between the global AD team and local bank operations.
• Participate in weekly design /status calls with the global office during the major change initiative.
• Translate global AD standards intolocal implementation plans.
• Report on local environment health, risks, and change progress using agreed dashboards.
• Escalate issues requiring global decisions (e.g., schema changes, cross-forest trust policies).

• Diagnose and resolve AD-related incidents, including authentication failures, replication breaks, GPO application issues, account lockouts, and Kerberos errors.
• Perform root cause analysis and implement permanent fixes.
• Support application teams with AD integration issues (SPN misconfigurations, delegation, permissions).
• Participate in security incident response where AD compromise is suspected (e.g., golden ticket, DCSyncattacks).

• Maintain living documentation: AD topology, domain controller inventory, FSMO locations, site links, GPO inventory, privileged group memberships, and service account lists.
• Document all changes performed during the major change initiative, including before / after states.
• Produce troubleshooting runbooksfor common AD issues tailored to the bank’s environment.
• Provide training sessions forlocal junior admins and global office teams as needed.