I ran this through a lab and was able to reproduce the error.
The link in the error message takes you to: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account
Following the instructions I ran:
Set-ADSyncBasicReadPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>]
and
Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] [<CommonParameters>]
- I only have this setup in lab. You would need to run each command to add each set of permissions required for each component of AD Connect that you use.
I ran the wizard again to add the new subdomain. It still showed the error like before, but it did add it to the sync.
The only difference on this was in lab it complained about the 'correct' account not having access to the subdomain. By correct I mean the service account in the Forest I was working in and not the second Forest joined to AD Connect where there is a different service account. :)
On Tuesday I'll give production a try.
*There was part of me that was worried that somehow these commands would replace the existing service account. You can't replace the service account at all. The commands can update the permissions on an account though. And I guess if you reinstalled you could use it.