Do set up a public key infrastructure (PKI) properly, have an offline root separate from the online issuing server. AD Certificate Services is one implementation, mentioning it specifically because you already are doing the work of AD. Other solutions exist.
Do not use self signed certificates for the end user. For example, https service on www.intranet.example.net
Starting a new root of trust for everything is difficult to secure, and annoying to manage.
Do trust your root CA on each managed host (clients and servers), so that their TLS implementations can verify the certificate chains. This is done via cryptographic math, not anything inherent to a DNS name. exampleRoot1
can sign exampleIssuingCA1
can sign www.intranet.example.net
.
Do automate the process of TLS servers renewing certificates. In this case, for Apache httpd. How exactly depends on the PKI software you choose. Worth noting that there are good options that make it easy to renew certs every day. Smallstep can run a private ACME (certbot) server plus other integrations, as an issuing CA in an existing PKI. So if you wanted, could have AD members and ACME clients, both getting certs in their preferred way, while sharing a root.
Do not use .local domains. That is reserved for mDNS. Get internet domain names from a registrar.