Minor update:
I'm a little baffled. I'm not even entirely sure it's a firewall issue at this point, but it has to be, right? I got on the shell for my ESXi host and ran these two commands:
esxcli network firewall set --enabled=false
esxcli network firewall set --default-action=true
That should, in theory, completely disable the firewall (temporarily, for testing purposes). Even if, for some reason, it wasn't disabled, the default behavior should have been to allow the traffic.
Yet, when I try to Test-NetConnection from my Domain Controller to the ESXi host over port 135 or 389, I get an immediate 'WARNING: TCP connect to (ip address:389) failed' message. Like, immediately.
Okay, so it's got to be a switch-based firewall in the way then. Except, there's a Windows NAS running on the same exact subnet a single IP address number away from my ESXi host, and I can get port 135 TCP traffic there with no issue.
What exactly could possibly be the issue here? I must be missing something very simple.