Office 365 Hybrid setup

I have recently taken over a network with a hybrid exchange setup. For a number of reasons I plan to migrate the whole network to a new domain next year but one of the big obstacles in my way is exchange. Exchange is not really my area of expertise so I require some guidance to what is and is not possible (site is a school).

Where I am:
A network with an ADFS-proxy, ADFS and an Exchange 2013 server in a hybrid setup. Student are on 365, Teachers are on local exchange. Our domain naming is all over the place:
Internal domain: schoolnameHigh.org.uk
Email extension for Teachers: schoolname.com
Email extension for Students: Students.schoolname.com

Where I want to be:
A network with an ADFS server syncing any (added, modifyed, removed) users in x or y AD Organisational Units and creating email address's for them.
No exchange or ADFS-Proxy server (I am happy to have a proxy if its really needed \ more secure)
Internal domain: schoolname.com
Email extension for Teachers: schoolname.com
Email extension for Students: Students.schoolname.com

What I plan to do: Migrate the local exchange users to 365, un-attach 365 from our current domain, re-attach it our new domain and re-link accounts to users. I have been told by a 3rd party company I can never have a domain without an on-premises exchange server \ that's not the way it works. However in my previous jobs I saw many networks with 365 and ADFS that had no exchange server. So at this point I would really like some advice on
A.) Is my plan technically flawed \ not possible?
B.) Am I really tied to always having an on-premisis exchange server if I want ADFS \ single sign on?
Dead_EyesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael ChisholmCommented:
A:) Your plan is not flawed.  If you are not an exchange person then hosting is your best bet.

B:)  I have currently in place an office 365 exchange service running with out an exchange server.  We use a power-shell script to populate the mail addresses into the directory before syncing with Office 365.

This should explain the single sign-on

https://technet.microsoft.com/en-us/magazine/jj631606.aspx

If I have missed the point of your question please let me know and i can elaborate.
AmitIT ArchitectCommented:
You are basically looking for cross-forest migration. ADFS is just for SSO. It won't do any sync. ADFS Proxy you need for users connecting from external network. I don't think you want anyone to connect to your Internet ADFS server.

As far as office 365  is concerned, you need to talk to Microsoft. What all required from your end to do this migration, as it will break hybrid setup.
Dead_EyesAuthor Commented:
Thanks Michael and Amit,

Michael - Is this PowerShell script publicly available \ downloadable?

Amit - To my understanding \ what I have seen. you add a user to AD and then after what I thought was the ADFS snyc an e-mail was automatically created for them. If ADFS does not automatically create the e-mail or do the sync what does?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

AmitIT ArchitectCommented:
You need dir sync or Azure sync tool. I highly recommend you to contact Microsoft. As your scenario is bit different.
Michael ChisholmCommented:
Powershell script to add email addresses to active directory without an exchange server this will populate the email field in the user account.
# change per your -filter
$users = Get-ADUser -Filter * -SearchBase "ou=Testing,ou=Students,ou=Domain Users,dc=UK,dc=local" -properties *, ProxyAddresses

Foreach ($u in $users) {
$u.ProxyAddresses = "$($u.givenName[0])$($u.Surname)@YourDomainGoesHere.uk"
Set-ADUser -instance $u
}

Get-ADUser -properties *, ProxyAddresses | ft givenname, proxyaddresses

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dead_EyesAuthor Commented:
Thanks that's a big help and good to know I wasn't totally of the rails lol.
Michael - Big thanks and great script
Amit - same as and my bad I thought dir sync was part of ADFS
Michael ChisholmCommented:
I agree with Amit

Amit
"You need dir sync or Azure sync tool. I highly recommend you to contact Microsoft. As your scenario is bit different."

Reason: You are going to be detaching your domain and reattach a new domain which will change the  GUID for every user. Possibly damaging every account you have by orphaning them. That number is very important to exchange and ADSync.
Cliff GaliherCommented:
I'm copying your test and replying in line to keep things somewhat organized:

Where I want to be:
 A network with an ADFS server syncing any (added, modifyed, removed) users in x or y AD Organisational Units and creating email address's for them.
-----------------
ADFS does not sync.  ADFS authenticates.  Office 365 is backed by Azure Active Directory. They *have* a sync tool (AADConnect) but that is not ADFS.  You can also create accounts directly in AAD via the web portal that aren't synced.
-----------------
 No exchange or ADFS-Proxy server (I am happy to have a proxy if its really needed \ more secure)
-----------------
If you want to authenticate against your internal AD servers you *really* should have a proxy.
-----------------
 Internal domain: schoolname.com
 Email extension for Teachers: schoolname.com
 Email extension for Students: Students.schoolname.com
-----------------
Changing your internal domain is ugly.  Unless you have a compelling reason to do so, I rarely recommend doing it.  "So it matches" is usually a cosmetic choice and ROI for the effort can never be attained, hence the "compelling" caveat.


 What I plan to do: Migrate the local exchange users to 365, un-attach 365 from our current domain, re-attach it our new domain and re-link accounts to users.
------------------
If you plan on building a new domain, this gets *VERY* ugly. "Reattaching" users in O365 is not a trivial task.  There are unique GUIDs associated with each account that are populated with a sync, and once populated, you can't simply attach an AAD account to a new AD account. That'd be a huge security loophole.  The premise behind this block is the same as not being able to delete and create an AD account with the same name to access old account data. The SID in AD prevents this.  The GUID in AAD does a very similar job.
------------------
I have been told by a 3rd party company I can never have a domain without an on-premises exchange server \ that's not the way it works. However in my previous jobs I saw many networks with 365 and ADFS that had no exchange server.
------------------
*IF* you are running a Hybrid Exchange environment then then what you are told is absolutely true. Or if you are authenticating cloud/O365 users via ADFS.  It is possible to have an environment where O365 users have cloud accounts for O365. And ADFS is used for security on-premises apps. But AAD and AD are not linked in any way.  In *that* case, yes, you can see an environment with ADFS without Exchange.  

But when you introduce AD/AAD syncing, the AD objects are what populate the cloud accounts *including* the exchange objects. That means having an on-prem exchange server, even it if hosts not mailboxes. There are undocumented ways of manually creating and populating Exchange properties, but they are unsupported for a reason. They have side-effects. And worse, because you are doing it manually, future O365 updates could irrevocably break your environment if you aren't using the right tools.  Hybrid was built for using an on-prem Exchange for management. Other solutions are ....to be blunt....high risk.  

 So at this point I would really like some advice on
 A.) Is my plan technically flawed \ not possible?
------
I'd say it is not reasonable. What is "possible" is always as much luck as anything. We all hear stories of the guy that fell off a 10 story building and managed to survive because he fell through an awning, bounced off a rail, landed on the roof of a soft-top convertible, and there were balloons in the backseat.  That doesn't mean you go and make a habit of jumping off 10 story buildings.  It is "possible" to survive, but not reasonable.
------
B.) Am I really tied to always having an on-premisis exchange server if I want ADFS \ single sign on?
------
"Always?"  Maybe, maybe not. Microsoft may architect a future solution to address this pain point.  But as of today, yes, ADFS/SSO is, for practical purposes, tied to having an Exchange server on-prem.

-Cliff
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.