So my question to you guys, to get this working from what I understand I need to take "students.contoso.com" in public facing certificates on my on-premise edge and I also need to point federation DNS records to this domain on-premise. But what about other DNS records? Should this domain be a part of my topology? How much work do I need to do internal with simple urls, dns, certificates and so on. All our users in this domain will still contain Online.