We have an ISA 2006 instance that we've put in a DMZ with the NOKIA firewall also performing NAT from the LAN to the DMZ. So the ISA has a class A ip NATted to class C by the firewall.
The server is a 2003 ENT SP2 (although I've uninstalled SP2). Rules on the NOKIA firewall allow traffic out to a domain controller over the correct ports (53, 88, 389, 1026, 3268, 135) and also 3389 for RDP. The server is an HP DL380 G4.
When the machine is on the LAN, I can log onto it using my domain credentials within seconds. However, when the machine is back in the DMZ, it can take up to 40 minutes for the machine to authenticate me, or it just returns to the MSGINA asking me for my credentials.
You must have a route relationship between source and destination network for intradomain communications. If there is NAT anywhere in the path, it won't work becasue of Kerberos not supporting NAT.