All Products
Search

This Product

    Elastic Desktop Service:Create and manage an AD-based office network

    Document Center

    Elastic Desktop Service:Create and manage an AD-based office network

    Last Updated:Feb 10, 2026

    Elastic Desktop Service (EDS) Enterprise supports both convenience accounts and enterprise Active Directory (AD) accounts. When you create an office network, you can base it on either account type. This topic describes how to create and manage an office network based on enterprise AD accounts.

    Billing

    An AD-based office network connects to your enterprise AD through an AD Connector. AD Connector is billed on a pay-as-you-go basis. The fee is determined by the usage duration and unit price, which varies by specification. For more information, see AD Connector pricing.

    To stop billing, delete the office network. For more information, see Delete an office network.

    Prerequisites

    Before you begin, ensure that you have:

    • An enterprise AD environment. If the AD domain controller and DNS server are deployed on different servers, make sure that the DNS on the AD domain controller points to the IP address of the DNS server.

    • A Cloud Enterprise Network (CEN) instance, with both the enterprise AD VPC and the office network VPC associated with the same CEN instance. For more information, see Create a CEN instance.

      Note

      If the AD domain controller and DNS server are deployed in an on-premises data center, connect the on-premises network to Alibaba Cloud by using Express Connect, VPN Gateway, or Smart Access Gateway (SAG). For more information, see Select a private network service

    • The required network ports opened. The office network VPC must access the following ports on the AD domain controller. Make sure that these ports are allowed in the firewall, security group, or security software on the AD domain controller and DNS server.

      Protocol type

      Port or port range

      Description

      Authorized object

      Custom UDP

      53

      DNS

      Office network IPv4 CIDR block, for example, 192.168.XX.XX/24

      88

      Kerberos

      123

      Windows Time

      137

      NETBIOS

      138

      NETBIOS

      389

      LDAP

      445

      CIFS

      464

      Kerberos password change/reset

      Custom TCP

      53

      DNS

      Office network IPv4 CIDR block, for example, 192.168.XX.XX/24

      88

      Kerberos

      135

      Replication

      389

      LDAP

      443

      HTTPS

      445

      SMB/CIFS

      636

      LDAP SSL

      9389

      PowerShell

      49152–65535

      RPC

      3268–3269

      LDAP GC and LDAP GC SSL

    Create an office network

    1. Log on to the Elastic Desktop Service Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the top navigation bar, select a region.

    4. On the Office Networks page, click Create Office Network.

    5. In the Create Office Network panel, select Advanced Office Network, complete the other configurations, and click Next: Configure Account System.

      Configuration descriptions

      Configuration item

      Description

      Select Region

      The region where the office network resides. For information about supported regions and related limits, see Regions.

      Office Network Name

      The office network name is used to identify and quickly find the office network.

      IPv4 CIDR block

      When you create a cloud computer in an office network, an IP address is automatically assigned to the cloud computer from the IPv4 CIDR block of the office network's VPC. The number of IP addresses in the VPC CIDR block determines the maximum number of cloud computers that the network can accommodate. Plan your CIDR blocks carefully. For more information, see Plan CIDR blocks.

      By default, you can set the office network VPC to the following IPv4 CIDR blocks and their subnets:

      • 192.168.0.0/16

      • 10.0.0.0/12

      • 172.16.0.0/12

      To use other custom IPv4 CIDR blocks, you can submit a ticket to get technical support from Alibaba Cloud.

      Cloud Computer Connection Method

      The connection type determines how end users connect to cloud computers within the office network. The supported options include the following:

      • The Internet: Allows connections only over the Internet. This is the default option. To use this method, the on-premises device that is used to connect to the cloud computer must have Internet access.

      • Enterprise private network (VPC): Allows connections only through a VPC. To use this method, you must attach the office network to a Cloud Enterprise Network (CEN) instance. Then, you can use products such as Express Connect (leased lines), Smart Access Gateway (SAG), or VPN Gateway to connect your on-premises network to the cloud network. For more information, see Attach an office network to or detach an office network from a CEN instance and How do I choose a private network product?.

      • The Internet and enterprise private network (VPC): Supports both of the connection types described above.

      Note

      VPC connections rely on the Alibaba Cloud PrivateLink service, which is free of charge. When you select VPC Connection or Both Public Network and VPC Allowed, the system automatically activates the PrivateLink service for you.

      Cloud Enterprise Network

      To use the VPC connection method, select Join. You can select a Cloud Enterprise Network instance ID from the same account or a different account, as needed.

      Note

      If your on-premises network connects to the cloud network through Smart Access Gateway, Express Connect (leased line), or VPN Gateway, the office network must join the same Cloud Enterprise Network instance.

      To ensure that cloud computers in the office network can be used normally, after you select a Cloud Enterprise Network instance ID, click Validate. This checks for conflicts between the routes of the selected Cloud Enterprise Network instance and the office network's IPv4 CIDR block. If the validation fails, click View Conflict Details and Recommended CIDR Blocks. Then, reset the IPv4 CIDR block or CEN instance based on the suggestions.

    6. In the Configure Account System step, select Enterprise AD Account in the Account Type area, configure the following parameters, then click OK.

      Parameters

      Parameter

      Description

      Domain Name

      Your enterprise AD domain name, for example, example.com. If the console displays a message that the domain name is invalid, submit a ticket.

      Domain Controller Hostname

      The hostname configured on your AD domain controller. If the AD domain controller and DNS server are deployed on different servers, you must specify this parameter to identify the domain controller and improve the success rate of office network creation. If they are deployed on the same server, this parameter is optional.

      DNS Address

      The IP address of the DNS server for your enterprise AD. If the AD domain controller and DNS server are on the same server, enter the IP address of the AD domain controller. Make sure that this IP address is reachable from the office network configured in the previous step.

      Add Secondary Domain Controller Hostname/DNS Address

      Click Add Secondary Domain Controller Hostname/DNS Address to configure a backup domain controller and DNS address for high availability. If the primary domain controller is unavailable, operations such as creating cloud computers, assigning cloud computers to AD accounts, and user logons are not affected.

      Local Administrator

      A local administrator can install software and perform tasks that require local administrator privileges. If you select Specify AD User as Local Administrator, all authorized users in this office network have local administrator privileges. You can also set local administrators in the AD domain controller. For more information, see Set cloud computer local administrators.

      AD Connector Type

      Select a specification based on the estimated number of cloud computers:

      • General: For up to 1,000 cloud computers.

      • Advanced: For more than 1,000 cloud computers.

    7. In the Create Office Network panel, click Close. On the Office Networks page, check the Status column:

      • If the status is Configure users, the office network is created successfully. Click the office network ID, then in the Basic Information section, click Configure next to Status to complete user configuration.

      • If the status is Configure the domain information, check and correct the Account Type settings, the network connection between the office network and the DNS server, and the security group rules of the DNS server. Then, on the office network details page, click Retry to re-create the office network. For more information, see FAQ about AD office networks.

    Configure users

    1. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    2. In the top navigation bar, select a region.

    3. On the Office Networks page, click the office network ID of the target office network.

    4. On the office network details page, perform one of the following actions:

      • In the Basic Information area, click Configure next to Status.

      • In the Account Type area, click Configure next to Domain Username.

    5. In the Configure AD Domain panel, enter the domain username and password, confirm the password, then click Verify.The domain user must have permissions to join computers to the AD domain and read user attributes, so that cloud desktops in this office network can be added to the AD domain server and assigned to users.

      Note

      The domain user must have permissions to join computers to the AD domain and read user attributes, so that cloud computers in this office network can be added to the AD domain server and assigned to users.

    6. After verification succeeds, in the Account Type area, click Edit next to OU, then select an OU from the OU drop-down list.

    After configuration, the office network status changes to Registered. You can now create cloud computers or cloud computer shares in this office network.

    Modify domain controller settings

    After an AD office network is created, if the domain controller address changes, you can update the domain controller hostname and DNS address.

    1. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    2. In the top navigation bar, select a region.

    3. On the Office Networks page, click the office network ID of the target office network.

    4. In the AD Configuration section, click Edit next to Domain Controller Hostname/DNS Address, enter the new hostname and DNS address, then click OK.

      Note

      If the modification fails, the domain controller hostname and DNS address revert to their previous values.

    Set cloud computer local administrators

    A local administrator can install software and perform tasks that require local administrator privileges. You can enable local administrators when creating the office network, or configure them in the AD domain controller.

    Method

    Advantage

    Disadvantage

    Set during office network creation

    Simple one-time setup. All authorized users in the AD office network become local administrators.

    Applies at the office network level. All cloud computers in the office network have local administrator privileges. Not granular.

    Set in the AD domain controller

    Granular control. Assign local administrator privileges to specific users as needed.

    Requires manual configuration in the AD domain controller. More steps involved.

    For information about how to set local administrators in the AD domain controller, see How do I set local administrators in an AD domain?

    Manage an office network

    After creating the office network, you can perform the following common management tasks:

    Delete an office network

    You must release all cloud computer resources in the office network before you can delete it. After you delete an AD-based office network, AD Connector billing stops.

    Warning

    Before deleting an office network, make sure that all important resources and data in the office network have been backed up. Deleted resources and data cannot be recovered.

    1. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    2. In the top navigation bar, select a region.

    3. On the Office Networks page, find the target office network, then click Delete in the Actions column.

    4. In the confirmation dialog box, read the prompt and click OK.

    Next steps

    After creating the office network, you can: