You are assuming that you control all client machines. Unfortunately it is not always possible and far from the admin technical decision.
The admin usually can't fire the upper management.
It's possible to purchase certs signed by pre-trusted CAs extremely cheaply ($9/year/name) that can then be used on internal services. This is not a difficult problem to solve.
You can't buy certs for non.public.domain.local. So you must control the CA list at all client machines and use a self signed cert.
The assumptions that there is a solution to the problem do not take in consideration that some times these changes are not possible.
If I were to choose everyone would be using public domains with DNS zone view for public / private environments but Microsoft DNS service don't even support it.
