If one of these is present in the certificate, the KDC will consider it potentially usable as a DC certificate capable of servicing smartcard logons (if it also passes revocation checks). The last two are present in the W2k3 code while the first one was introduced with Windows Server 2008.
The following two OID's are typically also used for the EKU´s of a KDC certificate:
In addition to this, the direct issuer of the potential KDC certificate needs to be in the NTAuth store of the DC and all certificates in the chain (except the Root CA cert) need to pass revocation checking as well. Finally, as per RFC5280, the CRL of the SubCA that signs the CRL of the Domain Controller certificate must also include the CERT_CRL_SIGN_KEY_USAGE flag in the Key Usage extension of the SubCA certificate. Note: This is a change from the Windows Server 2003 behaviour which did not enforce the RFC5280 requirements concerning the key usage flag of the certificate used to sign the CRL. Without these you'll most likely see KDC Event ID 19 or KDC Event ID 29 being logged on the DC whenever the KDC service starts and every 10 hours afterwards when it tries to locate a valid domain controller certificate.
Further details:
Requirements for Domain Controller certificates from a Third-party CA http://support.microsoft.com/kb/291010
Guidelines for enabling smart card logon with third-party certification authorities http://support.microsoft.com/kb/281245
Kerberos Authentication Template http://technet.microsoft.com/sv-se/library/cc730826(WS.10).aspx