That is interesting. I sort of suspected this.
Any suggestions on what things I should make sure are open? Should I be focusing on ports? Or access to specific servers?
Currently, there is full access to all of the domain controllers, DNS, DHCP, our anti-virus server, our computer management server, and a few other things.
A good place to start would probably be to run the 'show datapath session table ...' command to capture what is going on on the client during the transition and then open anything that is being denied (within reason)?