Why does my domain controller refuse to talk to a client on a different subnet?

I have an office subnet (say 192.168.10.x) and a guest subnet (192.168.99.x) which both use a pfSense box as their gateway/router. The office subnet is "controlled" by Active Directory using Windows 2003 domain controllers -- the DCs give out DHCP leases, control DNS, etc. My guest subnet is controlled by pfSense.

I want a WinXP client machine that sits on the guest subnet to access Active Directory resources as if they were on the office subnet.

VPN might be a possibility, but because both subnets are controlled by the same pfSense box the routing is getting confused.

VLANs are not really a possibility.

I think I almost have this working, but I am getting stuck. Foolishly, we have file servers and even Exchange on our domain controllers, and the client can't access those resources properly.

Here's what's working:

• The client and most machines on the office subnet can communicate with each other.
• I set up the guest subnet in Active Directory Sites and Services
• The client has access to the DNS on the office subnet (which are also running on the domain controllers)
• The client can RDP into non-domain controllers on the office subnet
• I think the client can even authenticate to log in properly
• I manually added a DNS entry for the client into Active Directory's DNS

BUT the client cannot RDP into a domain controller, access Exchange, or access file shares. When I move the client to the office subnet then it can do these things.

The server event logs don't provide any clues, as far as I can tell.

The client event logs have some clues. Here is an example:

W32Time eventID 18

The time provider NtpClient failed to establish a trust relationship between this
computer and the MYDOMAIN domain in order to securely synchronize time. NtpClient 
will try again in 60 minutes. The error was: The trust relationship between this 
workstation and the primary domain failed. (0x800706FD)

If there is no trust relationship then I should not be able to authenticate, but I am pretty sure I can. (I will double-check to make sure it is not just cached credentials.)

I suspect that there is some setting on the domain controllers that make them not trust my client when it is on the remote subnet. But I am having trouble finding what it might be, or where to find documentation on this.

What am I missing?

Are there other solutions to this problem I should consider?

If the client is joined to the domain then the only thing preventing it from communicating properly would be that traffic is not being routed correctly from one subnet to the other, that the client has the wrong DNS settings, or that the firewall is blocking the required traffic from one subnet to the other.

Having the other subnet set up in ADS&S doesn't really do you any good if there isn't a DC there or there are no AD integrated services (Exchange, DFS) there.