"The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data."
Try to fix it by: certutil -dcinfo deleteBad
MS Article 555151
The problem was showen on a DC system event log, previously it was different CA installed in the domain. Did delete all old CA as recommended in 555151, but actually created a new CA on DC first. So far after runnig certutil I still can see old certificates.