Microsoft has introduced numerous administrative tools to simplify and enhance management of Windows Server 2008. One of the functions is Active Directory Federation Services. Active Directory Federation Services (ADFS for short) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated.
Claims based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims based authentication.
In AD FS, identity federation is established between two organizations by establishing trust between two security realms. A federation server on one side (the Accounts side) authenticates the user through the standard means in Active Directory Domain Services and then issues a token containing a series of claims about the user, including its identity. On the other side, the Resources side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another security realm without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.
Another function is Microsoft Active Directory Lightweight Directory Services (AD LDS) is an independent mode of Active Directory that provides dedicated directory services for applications. Although AD LDS independently provides directory storage and access for applications, AD LDS uses the same standard application programming interfaces (APIs) as Active Directory to manage and access the application data. The resulting conceptual and programming compatibility makes AD LDS ideal for applications that require directory services, but do not require the complete infrastructure features of Active Directory. AD LDS is a directory services solution for developers who are familiar with programming for Active Directory. Developers who are unfamiliar with Active Directory will find that integrating AD LDS as a directory service for their applications is easier than using the complete features of Active Directory. In both cases, AD LDS provides a directory services solution for developers who seek compatibility and consistency with Active Directory. AD LDS runs with the full feature set on the Microsoft Windows Server 2008 operating system.
Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies. The features in AD CS are by using Server Manager; you can install the following components of AD CS: Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs). The Online Responder service accepts revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates. The Certificate Enrollment Web Service enables users and computers to perform certificate enrollment that uses the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. The Certificate Enrollment Policy Web Service enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.
The benefits of AD CS are organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates. Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPSec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures. The new features of AD CS in Windows Server 2008 R2 include: Certificate enrollment that uses the HTTPS protocol, Certificate enrollment across Active Directory Domain Services (AD DS) forest boundaries, improved support for high-volume certificate issuance, support for CAs on a Server Core installation of Windows Server 2008 R2. By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands. An AD RMS system includes a Windows Server® 2008 R2-based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The Windows Serverm2008 operating system eases the task of managing and securing multiple server roles in an enterprise with the new Server Manager console. Server Manager in Windows Server 2008 provides a single source for managing a server's identity and system information, displaying server status, identifying problems with server role configuration, and managing all roles installed on the server.
Server Manager replaces several features included with Windows Server® 2003, including Manage Your Server, Configure Your Server, and Add or Remove Windows Components. Server Manager also eliminates the requirement that administrators run the Security Configuration Wizard before deploying servers; server roles are configured with recommended security settings by default, and are ready to deploy as soon as they are installed and properly configured.
Server Manager is an expanded Microsoft Management Console (MMC) that allows you to view and manage virtually all of the information and tools that affect your server's productivity. Commands in Server Manager allow you to install or remove server roles and features, and to augment roles already installed on the server by adding role services.
Server Manager makes server administration more efficient by allowing administrators to do the following by using a single tool: view and make changes to server roles and features installed on the server, perform management tasks associated with the operational life cycle of the server, such as starting or stopping services, and managing local user accounts, perform management tasks associated with the operational life cycle of roles installed on the server, determine server status, identify critical events, and analyze and troubleshoot configuration issues or failures, install or remove roles, role services, and features by using a Windows command line. Server Manager is installed by default as part of the Windows Server 2008 setup process. To use Server Manager, you must be logged on to the computer as a member of the Administrators group on the local computer.
Windows System Resource Manager (WSRM) is a component of Microsoft's Windows Server 2008/2003 operating systems that provides resource management and enables the allocation of resources, including processor and memory resources, among multiple applications based on business priorities. It is also available as a downloadable add-on for Windows Server 2003 Enterprise and Datacenter editions.
WSRM enables users to manage CPU and memory utilization on a per process basis. An administrator sets targets for the amount of hardware resources that running applications or users are allowed to consume. It can allocate resources among multiple applications on a server according to defined policies. This can be helpful in a corporate environment when, for example, your well-behaved application software has to co-exist with an application that has a memory leak. Without protection such as afforded by WSRM, your application will run more slowly and/or crash, because the misbehaving application will eventually cause problems that affect every application that shares its memory space. Thanks to the WSRM, a software application can be limited to an isolated subset of hardware resources. As a result of this, the bad effects caused by the memory leak will be limited to that subset. Hardware partitioning can also solve the problem, but it is a far more complex solution.
Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.

Bibliography http://technet.microsoft.com/en-us/windowsserver/dd448615. n.d. 12 may 2012.