.local is reserved for mDNS responses, don’t use that.

It’s more than best practice. Your active directory controllers want to be the resolvers for their members, separate from other zones such as external MX records or the like. Your AD domain should always be a separate zone, aka a subdomain. “ad.example.com”.

If your DCs are controlling members at the top level, you’ll eventually run into problems with Internet facing services and public NS records.