Here's what I do on my windows servers:
1) Create a non-resolving local domain (myorg.local)
2) NEVER create a DOMAIN for my actual domain name
Unstead, I create domains for each of the servers on my domain that are on the local network, but not any domains for the servers on the internet.
So, since my mail server is local, I create a domain "mail.myorg.org" on my windows server, then set the A record for that domain to the LAN IP for my mail server. LAN users then get the LAN IP, while Internet users get the firewall's public IP from our public DNS.
Since my web server is off-site, I don't create any local entry for it; dns queries are forwarded off-site and resolve correctly to the public IP.
To break it down - imagine that my email and wiki are local, but my blog and main website are hosted outside of my office. Here's what I end up with:
On my internet DNS (at Network Solutions):
mail.myorg.org points to my firewall IP
wiki.myorg.org points to my firewall IP
blog.myorg.org points to my blog host
www.myorg.org points to my web host
On my Active Directory Servers:
myorg.org HAS NO ENTRY
mail.myorg.org is a ZONE, with the A record set to the LAN IP for the mail server
wiki.myorg.org is a ZONE, with the A record set to the LAN IP for the wiki server
blog.myorg.org HAS NO ENTRY
www.myorg.org HAS NO ENTRY