You can't buy certs for non.public.domain.local. So you must control the CA list at all client machines and use a self signed cert.
The assumptions that there is a solution to the problem do not take in consideration that some times these changes are not possible.
If I were to choose everyone would be using public domains with DNS zone view for public / private environments but Microsoft DNS service don't even support it.
If I were to choose everyone would be using public domains with DNS zone view for public / private environments but Microsoft DNS service don't even support it.