All Products
Search

This Product

    Elastic Desktop Service:Create and manage enterprise AD office networks

    Document Center

    Elastic Desktop Service:Create and manage enterprise AD office networks

    Last Updated:Dec 04, 2025

    Elastic Desktop Service (EDS) Enterprise supports both convenience accounts and enterprise Active Directory (AD) accounts. When creating office networks (formerly workspaces), you can specify their account types. This topic describes how to create enterprise AD office networks.

    Billing rules

    Enterprise AD office networks connect to AD systems through AD connectors. Charges are based on a pay-as-you-go model, with fees determined by the duration of use and the unit price of the AD connectors. For more information about the prices of AD connectors of different types, see the AD Connector Price section on the Pricing page in the EDS portal.

    Delete your enterprise AD office network if it's no longer in use to avoid unnecessary charges. For more information, see Delete an enterprise AD office network.

    Prerequisites

    • An enterprise AD system is deployed. If the AD domain controller and DNS server are on separate servers, ensure the AD domain controller's DNS address is set to the DNS server's IP address.

    • A Cloud Enterprise Network (CEN) instance is created, and the virtual private cloud (VPC) of the enterprise AD system and the enterprise AD office network are attached to the CEN instance. For more information about how to create a CEN instance, see Enable communication between cloud and on-premises networks.

      Note

      To connect the on-premises and cloud networks, use Express Connect, Smart Access Gateway (SAG), or VPN Gateway if the AD domain controller and DNS server are deployed in an on-premises data center. For more information, see Select a private network service.

    • Specific ports are opened. The enterprise AD office network's VPC must access the AD domain controller's ports. Ensure these ports described in the following table are open on the domain controller, DNS server, and any security software.

      Protocol type

      Port/Port range

      Description

      Authorization object

      Custom User Datagram Protocol (UDP)

      53

      DNS

      The IPv4 CIDR block of the office network. Example: 192.168.XX.XX/24.

      88

      Kerberos

      123

      Windows Time

      137

      NETBIOS

      138

      NETBIOS

      389

      LDAP

      445

      CIFS

      464

      Password change or reset based on Kerberos

      Custom Transmission Control Protocol (TCP)

      53

      DNS

      The IPv4 CIDR block of the office network. Example: 192.168.XX.XX/24.

      88

      Kerberos

      135

      Replication

      389

      LDAP

      443

      HTTPS

      445

      SMB/CIFS

      636

      LDAP SSL

      9389

      PowerShell

      Ports 49152 to 65535

      RPC

      Ports 3268 to 3269

      Lightweight Directory Access Protocol (LDAP) Global Catalog (GC) and LDAP GC Secure Sockets Layer (SSL)

    Create an enterprise AD office network

    1. Log on to the Elastic Desktop Service Enterprise console.

    2. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Office Networks page, click Create Office Network.

    5. In the Create Office Network step, select Advanced Office Network, configure parameters as prompted, and then click Next: Configure Account System. The following table describes the parameters.

      Parameters

      Parameter

      Description

      Region

      The region where you want to create the office network. For more information about supported regions and limits, see Regions.

      Name

      The name of the office network. Follow the on-screen instructions to specify a name.

      IPv4 CIDR Block

      When you create cloud computers in an office network, the system automatically assigns IP addresses to the cloud computers from the CIDR block of the VPC that is used by the office network. The number of IP addresses varies based on the CIDR block. For more information, see Plan a CIDR block.

      By default, you can specify the CIDR block of the virtual private cloud (VPC) to which the office network uses to one of the following IPv4 CIDR blocks and their subnets:

      • 192.168.0.0/16

      • 10.0.0.0/12

      • 172.16.0.0/12

      If you want to use a custom IPv4 CIDR block, submit a ticket to contact Alibaba Cloud technical support.

      Connection Method

      When you create an office network, you must specify a method used by end users to connect to cloud computers from Alibaba Cloud Workspace terminals. The following connection methods are provided:

      • Internet (default): End users can connect to the cloud computers only over the Internet. If you select this method, on-premises machines that are used to connect to the cloud computers must be able to access the Internet.

      • VPC: End users can connect to the cloud computers only over a VPC. If you select this method, you must attach the office network to a Cloud Enterprise Network (CEN) instance. In addition, you must use Express Connect, Smart Access Gateway (SAG), or VPN Gateway to establish a connection between the on-premises and cloud networks. For more information, see Attach and detach an office network to and from a CEN instance and Select a private network service.

      • Internet and VPC: End users can connect to the cloud computers over both a VPC and the Internet.

      Note

      The method that you want to use to connect Alibaba Cloud Workspace terminals to cloud computers. A VPC connection depends on PrivateLink, which is free of charge. If you select VPC or Internet and VPC, the system automatically activates PrivateLink.

      Attach to CEN

      If you set the Connection Method parameter to VPC, you must set this parameter to Yes. To attach the VPC to CEN, you can select a CEN instance within the current or from another Alibaba Cloud account.

      Note

      If you connect an on-premises network to the cloud by using Smart Access Gateway, Express Connect, or VPN Gateway, you must attach the office network to the same CEN instance as that of the on-premises network.

      To ensure that cloud computers in the office network can be used as expected, click Check after you specify a CEN instance. The system checks whether the CIDR block of the route of the CEN instance is overlapped with the IPv4 CIDR block of the office network. If the CIDR blocks conflict, click View Conflict Details and Recommended CIDR Blocks. Then, specify another IPv4 CIDR block or CEN instance.

    6. In the Configure Account System step, set Account Type to Enterprise AD Account, configure parameters as needed, and then click OK.

      Parameters

      Parameter

      Description

      Domain Name

      The AD domain name of your enterprise. Example: example.com.

      If a message appears indicating that the specified domain name is invalid, you can submit a ticket to contact Alibaba Cloud technical support.

      Domain Controller Hostname

      The hostname that you configure in the AD domain controller.

      • If the AD domain controller and DNS server are on separate servers, specify the domain controller hostname so the system can identify the valid domain controller and set up the office network efficiently.

      • If both are on the same server, this parameter is optional.

      DNS Address

      The IP address of the DNS server associated with the enterprise AD system.

      If the AD domain controller and DNS server are on the same server, enter the IP address of the AD domain controller. Ensure that the IP address is accessible from the IPv4 CIDR block specified in the previous step.

      Secondary Domain Controller Hostname/Secondary DNS Address

      Click Add Secondary Domain Controller Hostname/DNS Address to enter the hostname and DNS address of a secondary domain controller.

      This ensures high availability, so operations like cloud computer creation, assignment, and logon continue unaffected even if one domain controller is shut down.

      Local Administrator

      A cloud computer's local administrator can download software and perform tasks requiring local admin permissions.

      Selecting Specify AD User as Local Administrator grants local admin permissions to users authorized to access cloud computers in the office network.

      You can also set up a local administrator on the AD domain controller. For more information, see Configure local administrators.

      AD Connector Type

      AD connector types by cloud computer count:

      • General: suitable for scenarios requiring fewer than 1,000 cloud computers.

      • Advanced: suitable for scenarios requiring 1,000 or more cloud computers.

    7. In the Create Office Network panel, click Close. On the Office Networks page, find the Status column of the enterprise AD office network.

      • If the status shows Configure users, the creation is successful. Click the ID of the office network. In the Basic Information section of the office network details page, click Configure to the right of the Status parameter.

      • If the status shows Configure the domain information, the domain is misconfigured—either the domain name or DNS address is invalid. Click the ID of the office network. In the AD Configuration section of the office network details page, modify parameter settings as needed.

      • If the status shows Registering, verify the office network's connection to the AD domain server. Click Retry to create a new office network if no problem is found. For more information, see FAQ about AD office networks.

    Configure users

    1. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    2. In the upper-left corner of the top navigation bar, select a region.

    3. On the Office Networks page, find the office network that you want to manage and click its ID.

    4. On the office network details page, perform one of the following operations:

      • In the Basic Information section, click Configure to the right of the Status parameter.

      • In the AD Configuration section, click Configure to the right of the Domain Username parameter.

    5. In the Configure AD Domain panel, enter the domain username and password, confirm the password, and then click Verify.

      Note

      AD domain users must have permission to add domains and read user properties from the AD domain controller. This allows the system to add cloud computers within the office network to the AD domain controller and assign them.

    6. After the verification is complete, select an OU from the OU drop-down list and click Close.

    Once the office network is in the Registered state, you can create cloud computers or establish many-to-many shares within it.

    Update the domain controller

    After an AD office network is created, if the domain controller address changes, update the domain controller hostname or DNS server address of the AD office network.

    1. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    2. In the upper-left corner of the top navigation bar, select a region.

    3. On the Office Networks page, find the office network that you want to manage and click its ID.

    4. Click AD Configuration. Click Edit to the right of Domain Controller Hostname/DNS Address. Enter a new domain controller hostname or DNS server address and click OK.

      Note

      If an error occurs during the process, the previous configuration is restored.

    Configure local administrators

    Only local administrators of cloud computers can download software and perform tasks that require the local admin permissions on the cloud computers. You can choose one of the following methods to configure local administrators:

    Method 1: Configure local administrators in the EDS Enterprise console.

    Method 2: Configure local administrators in an AD domain controller.

    Configure local administrators

    Advantage

    Disadvantage

    Method 1

    When creating an enterprise AD office network, you can make authorized end users local administrators on cloud computers by selecting the Specify AD User as Local Administrator check box. This grants all permitted users local admin permissions on their assigned cloud computers.

    This method grants local admin permissions to end users on their assigned cloud computers within an enterprise AD office network. While simple to implement, it does not support fine-grained permission management.

    Method 2

    You can also grant local admin permissions to specific end users for fine-grained control.

    This method allows granting local admin permissions to end users. It requires configuring the permissions for domain users in the AD domain controller and is more complex than Method 1.

    For more information, see FAQ about AD office networks

    Manage an enterprise AD office network

    Refer to following guides to manage an enterprise AD office network:

    Delete an enterprise AD office network

    Only office networks with released cloud computers can be deleted. The system stops billing for an AD connector once its associated enterprise AD office network is deleted.

    Warning

    Before you delete an office network, make sure that you have backed up important resources and data of cloud computers in the office network. You cannot restore deleted office networks. Proceed with caution.

    1. In the left-side navigation pane, choose Networks & Storage > Office Networks.

    2. In the upper-left corner of the top navigation bar, select a region.

    3. On the Office Networks page, find the office network that you want to delete and click Delete in the Actions column.

    4. In the message that appears, read the message and click OK.

    What to do next

    After you create an enterprise AD office network, perform the following operations as needed: