Сертификаты Windows Server внешний домен
Просто настройте один из NICs со шлюзом и не давайте другому NIC шлюз, таким образом, он не имеет выбора который способ перейти к Интернету.
Я надеюсь, что Ваш контроллер домена находится позади маршрутизатора NAT, таким образом, он не выставляется Интернету.
If all your clients are controlled by you, and you have trusted the root cert on all clients, you can just issue a new certificate to the Exchange Server which includes both names as a SAN entry. Have a look here for instructions how.
After installing and enabling this certificate on the Exchange Server, all clients that trust your root CA certificate will accept this certificate for both domain names.
If you have external clients (non-domain-clients) which do not trust your root CA, they will still get cert warnings / issues. You would need a certificate from a public CA then.
Also, as another variant, you can set exchange that it uses the same (external) domain for internal clients as well, and use a certificate with the external name only. Have a look at this question for details:
Get-WebServicesVirtualDirectory | Fl Identity,InternalUrl,BasicAuthenticationExternalUrl
Get-OabVirtualDirectory | Fl Identity,InternalURL,ExternalURL
Get-ActiveSyncVirtualDirectory | Fl Identity,InternalUrl,ExternalUrl
Get-OutlookAnywhere | Fl Server,ExternalHostname
Get-ClientAccessServer | Fl Server,AutoDiscoverServiceInternalURI