diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 16f2ef822..325eb8450 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -491,7 +491,7 @@ cn: ${REALM}_subid_range
 ipaBaseID: eval($SUBID_RANGE_START)
 ipaIDRangeSize: eval($SUBID_RANGE_SIZE)
 # HACK: RIDs to work around adtrust sidgen issue
-ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+ipaBaseRID: eval($SUBID_BASE_RID)
 # 738065-838566 = IPA-SUB
 ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
 # HACK: "ipa-local-subid" range type causes issues with older SSSD clients
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index e10703aa3..890eb7f1f 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -102,7 +102,7 @@ default: cn: ${REALM}_subid_range
 default: ipaBaseID: $SUBID_RANGE_START
 default: ipaIDRangeSize: $SUBID_RANGE_SIZE
 # HACK: RIDs to work around adtrust sidgen issue
-default: ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+default: ipaBaseRID: eval($SUBID_BASE_RID)
 default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
 # HACK: "ipa-local-subid" range type causes issues with older SSSD clients
 # see https://github.com/SSSD/sssd/issues/5571
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 21adbd832..822862d0b 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -59,8 +59,10 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
     """
     if idstart is None:
         idrange_size = None
+        subid_base_rid = None
     else:
         idrange_size = idmax - idstart + 1
+        subid_base_rid = constants.SUBID_RANGE_START - idrange_size
 
     return dict(
         REALM=realm,
@@ -81,6 +83,7 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
         SUBID_RANGE_SIZE=constants.SUBID_RANGE_SIZE,
         SUBID_RANGE_MAX=constants.SUBID_RANGE_MAX,
         SUBID_DNA_THRESHOLD=constants.SUBID_DNA_THRESHOLD,
+        SUBID_BASE_RID=subid_base_rid,
         DOMAIN_HASH=murmurhash3(domain, len(domain), 0xdeadbeef),
         MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL,
         MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL,