I didn’t encounter this problem specifically, but when they installed the seven on machines in their domain under 2003 r2, they also got a large number of inexplicable problems. The main source is different versions of AD. Some of them were patched over time with patches, some of them were patched with hands, but the domain did not work smoothly. If you still plan to work with the domain, it is best to change the server to 2008 R2. Better a terrible end than endless horror. =)

Yes, the 2008 server will be better, however, what is given is given :) alas, there is no way to defeat this problem by “cutting off a sore limb”.
As far as I managed to figure it out, the problem is in some particular checkbox (oh, how I don’t like Windows for this) policy settings. Since in the domain they (policies) are still used for individual user groups ... Their comparison revealed too many differences, I somehow didn’t get used to working by typing, but apparently I have to.
Tell me at least where to dig, or what exactly not to pay attention to - i.e. what can be ruled out?

Did you touch the firewall with politicians there?
"arp -a" seems to fix at least? At least some packet comes to the network card?
For the sake of the purity of the experiment, try on a typewriter with features to see the presence of a firewall service and the rules in them that allow DHCP patency. By the way, just try to add the rules (even if the firewall is disabled, you need to turn it on, add it and turn it off) allowing DHTsP.

A small offtopic:
1. It is not recommended to edit the Default Domain Policy - create a separate policy to edit the parameters you need.
2. It makes no sense to disable the Default Domain Policy - transfer all computers with the seven to a separate OU and enable Inheritance Blocking on it until you figure out the problem.
3. there are several possible solutions: social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/2a18bb78-211a-42e4-809a-8be4133149e6/
On the topic:
1. what about the firewall on the seven and what changes were made?
2. It would be great to see the resulting policy.
3. what's in the system logs?

Make rsop with default domain policy enabled, show it here. Can there what scripts left work out.

Did you touch the firewall with politicians there?

They didn’t touch it ... The Windows firewall is disabled, the server has a third-party SSEP firewall (a FSTEC-certified PD protection tool ... that’s still “dull” ... actually Russified Outpost with a rewritten gui, with a twist to the Kaspersky interface; but in this case, it’s definitely not him, he’s already they crawled up and down, and besides, everything is fine if you do not activate the same policy.)

what's in the system logs?

And the ladies are pristine ... notifications, not even warnings, not that there are errors.

it would be great to see the resulting policy.

but actually the policy, it's not rsop, but I think it will fit, this is a summary from Group Policy Manager,.

Make rsop with default domain policy enabled

It will be fraught with ... I'll try after hours. If I turn off inheritance, then you will not see anything in rcop, if not, then tomorrow morning again the tambourine in hand and run :)

Reset all settings in the Computer Configuration \ Windows Settings \ System Services section, many important system services (for example, RPC) are disabled there, which can cause all sorts of funny glitches.