It's possible to purchase certs signed by pre-trusted CAs extremely cheaply ($9/year/name) that can then be used on internal services. This is not a difficult problem to solve.
You can't buy certs for non.public.domain.local. So you must control the CA list at all client machines and use a self signed cert.
The assumptions that there is a solution to the problem do not take in consideration that some times these changes are not possible.
If I were to choose everyone would be using public domains with DNS zone view for public / private environments but Microsoft DNS service don't even support it.
