You have the right considerations.
That Is, it sounds like you are also defining your own root certificate authority, an internal authority. After all, its only one internal web site; why should you pay for someone to host a root authority for you? (Answer: because its cheaper in the long run. Now your internal root authority must be available whenever and wherever clients many need it, and eventually this means externally. I know, not today, not by design, … but in the long run. Buying a certificate from an established CA for these simple cases avoids the need to host your own CA today and avoids a migration tomorrow. By you live, you learn …)
Your authority must be added to the list of trusted root authorities. You’ve updated AD and most clients have the update. Some XP clients do not. Time to troubleshoot the clients …
Is automatic updating of trusted root certificates enabled?