Why isn't my ip helper-address helping?

I have a hub site with a Cisco 2811 and several remote sites, running a mixture of Cisco 851 and 871 routers configured for site-to-site VPN. I am in the process of adding DHCP scopes and DNS zones for the remote computers to enable easier management, and have several of these sites successfully pulling IP addresses and registering in DNS at the central site. Here's a sample of the spoke config from a working site, which I copied to another site (10.30.1.1):

interface Vlan1
 description Site 302
 ip address 10.30.2.1 255.255.255.0
 ip helper-address 172.16.0.1
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452

And here's UDP packet debug from the non working site, 10.30.1.1 which has identical configuration (hardware and software, both Cisco 870 running c870-advipservicesk9-mz.124-15.T7.) As you can see, the router is correctly packing up the broadcast from a CPU sending a DHCP broadcast and sending it on to the helper address.

000150: .Nov 16 20:50:33.752: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=308
000151: .Nov 16 20:50:33.752: UDP: sent src=10.30.1.1(67), dst=172.16.0.1(67), length=308
000152: .Nov 16 20:50:38.862: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=263
000153: .Nov 16 20:50:38.866: UDP: sent src=10.30.1.1(67), dst=172.16.0.1(67), length=263
000154: .Nov 16 20:50:49.683: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=308
000155: .Nov 16 20:50:49.683: UDP: sent src=10.30.1.1(67), dst=172.16.0.1(67), length=308

But at this site, the helper address never replies, or the replies never get through. I have not yet put a monitor on the DHCP server, as I'm out at the spoke site...that's the next step. But all the access-lists are the same, and what's more, communication to the DHCP server, say, via remote desktop, works flawlessly. Database connections to servers at central site are fine. Every form of communication works, TCP or UDP, except DHCP queries.

So, what have I missed? The DHCP server is a Windows 2008 server, and has several scopes on it already, is there a limit to the total number of scopes allowed? I didn't think so.
Obviously the scope is activated. The addresses match. The same DHCP server is happily serving addresses to all the other remote sites.

From what I understand, it's supposed to do that. The Cisco box is then responsible to forward that to the local network as a broadcast on that network's scope. I am no CCIE, but the router keeps track of ip-helper requests and when it sees a matching one come back (unicast) it converts it back to a broadcast on the inside network, as if the DHCP server had been on that inside network. Someone with more C's can tell you if I'm wrong.