1 - Let's say the Kerberos authentication certificate has expired. And it was automatically renewed within one year via auto-enrollment. Do systems using this certificate need to re-import the new certificate
There is only one system "using" this certificate: the host which enrolled for it. It will receive the certificate as part of auto-enrollment.
Other systems don't "use" the certificate, they merely "verify" or "validate" it. They do not need to have the certificate imported because it is signed by a CA known to those systems.
2 - Let's say the ROOT CA certificate has expired. And it was automatically renewed within 5 years via auto-enrollment. Do systems using this certificate need to re-import the new certificate?
The root CA needs to be known by any system which validates issued certificates. If it's renewed, all systems need to know about the new version (even if it wasn't rekeyed and only the expiry date changed, clients need to know that).
I'm not aware of auto-enrollment being able to issue a whole new root CA. If that's actually possible, I assume the auto-enrollment would automatically push it to the correct AD certificate store as well. But in general, the root CA is the one certificate that needs to be either imported manually or delivered via GPO.
Intermediate CAs are another matter – they do also need to be known but will usually be delivered automatically, either as part of the handshake (e.g. for TLS usually the server sends all intermediate CA certificates) or downloaded by the client from AIA URLs, so usually there's no need to manually import them to the 'verifying' hosts.
