For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate present in the personal store of the computer account.This is typically autoenrolled for whenever a Windows CA server has been installed into the AD environment.
The KDC service on W2k8 R2 monitors the personal certificate store of the computer account it is running on and gets notified when changes occur.At that point a KDC certificate selection process gets kicked off and the Kerberos Distribution Center service parses the contents of the store for any suitable certificates.
The same KDC certificate selection process is invoked when the KDC service is (re)started and every 10 hours afterwards.
One thing to note from a troubleshooting perspective is that it is perfectly possible for the KDC to be unhappy with a DC certificate that is currently being used successfully for LDAPS for example.I.e. beware of drawing any conclusions from testing if an LDAPS connection to the DC works - the KDC component does additional checks when considering if the cert is a suitable KDC cert candidate.If the personal store of the computer account doesn't contain any KDC cert at all or if only the Public key part of the potential KDC certificate is present then that will of course cause the KDC cert selection to fail as there will be 0 candidates for a KDC cert in that case.
Related links:Event ID 29 when starting KDC service on Windows Server 2008 R2 DC'shttp://blogs.technet.com/b/instan/archive/2011/09/12/event-id-29-when-starting-kdc-service-on-windows-server-2008-r2-dc-s.aspxSmartcard logon using certificates from a 3rd party on a domain controller and KDC eventID 29http://blogs.technet.com/b/instan/archive/2011/05/17/smartcard-logon-using-certificates-from-a-3rd-party-on-a-domain-controller-and-kdc-event-id-29.aspx
CAPI2 Event ID 11 Retakehttp://blogs.technet.com/b/instan/archive/2011/09/27/capi2-event-id-11-retake.aspx