This is very similar to the following article but wanted to post as a separate issue:
http://www.lcs-guides.com/modules.php?name=Forums&file=viewtopic&t=125

Scenario:
LCS 2005 SP1 installed on a server in DC1. All clients using Office Communicator.
It is setup to use TCP 5060. DNS SRV (_sip and _sipinternal) and A (pool.domain.com) records are setup

FQDN root Domain name: dc.domain.com
NetBios domain name of the dc domain: domain
Users email addresses / sip: user.domain.com

Users in DC1 can login fine.
Users in DC2 can not login. DC2 is connected to DC1 via a Cisco VPN (ASA) that is wide open between the sites. There is a domain controller / DNS server in each site.

Errors are:
"Cannot sign in to Communications Service because the server is temporarily unavailable. Please try again later. If the problems persists, contact your system administrator."
- or -
"You have been signed out of Communications Service because that service has been temporarily shut down. Please try again later."

LCSDiag shows a 401 Unauthorized error and doesn't say, but i'm assuming it is NTLM because next it shows a Response 200 after a Request: Register that says Auth: Kerberos. The wierd thing is that it shows "Signed in" = OK, which obviously isn't seen from the client.

I have tried to enable just NTLM or just Kerberos, to no avail. I have verified via ping and nslookup that the clients can see the DNS records. I have even modified the sip from domain.com to dc.domain.com manually, which didn't make a difference. The user could still logon in the local DC but not from DC2.

This is driving me crazy!! Any and all help or suggestions would be appreciated.