diff --git a/backend/app/services/scheduler/schedule_tenant.py b/backend/app/services/scheduler/schedule_tenant.py
index 2ad0c12..4a3f4b1 100644
--- a/backend/app/services/scheduler/schedule_tenant.py
+++ b/backend/app/services/scheduler/schedule_tenant.py
@@ -200,18 +200,22 @@ def _generate_tenant_route_yaml(tenant, is_active: bool) -> str:
     lines = ["http:"]
 
     if tenant.is_manager:
+        # Manager 租戶：根路徑 redirect 到 /admin，/admin 和 /api 指向 vmis-backend
         lines += [
             "  middlewares:",
             "    vmis-strip-admin:",
             "      stripPrefix:",
             '        prefixes: ["/admin"]',
             "",
+            "    vmis-redirect-admin:",
+            "      redirectRegex:",
+            f'        regex: "^https://{domain}/?$"',
+            f'        replacement: "https://{domain}/admin/"',
+            "        permanent: false",
+            "",
         ]
-
-    lines += ["  routers:"]
-
-    if tenant.is_manager:
         lines += [
+            "  routers:",
             f"    {code}-admin:",
             f'      rule: "Host(`{domain}`) && PathPrefix(`/admin`)"',
             f"      service: {code}-vmis",
@@ -229,36 +233,49 @@ def _generate_tenant_route_yaml(tenant, is_active: bool) -> str:
             "        certResolver: letsencrypt",
             "      priority: 200",
             "",
-        ]
-
-    lines += [
-        f"    {code}-drive:",
-        f'      rule: "Host(`{domain}`)"',
-        f"      service: {code}-drive",
-        "      entryPoints: [websecure]",
-        "      tls:",
-        "        certResolver: letsencrypt",
-        "",
-        f"    {code}-http:",
-        f'      rule: "Host(`{domain}`)"',
-        "      entryPoints: [web]",
-        "      middlewares: [redirect-https]",
-        f"      service: {code}-drive",
-        "",
-        "  services:",
-        f"    {code}-drive:",
-        "      loadBalancer:",
-        "        servers:",
-        f'          - url: "{nc_url}"',
-    ]
-
-    if tenant.is_manager:
-        lines += [
+            f"    {code}-root:",
+            f'      rule: "Host(`{domain}`)"',
+            f"      service: {code}-vmis",
+            "      entryPoints: [websecure]",
+            "      middlewares: [vmis-redirect-admin]",
+            "      tls:",
+            "        certResolver: letsencrypt",
+            "      priority: 100",
+            "",
+            f"    {code}-http:",
+            f'      rule: "Host(`{domain}`)"',
+            "      entryPoints: [web]",
+            "      middlewares: [redirect-https]",
+            f"      service: {code}-vmis",
+            "",
+            "  services:",
             f"    {code}-vmis:",
             "      loadBalancer:",
             "        servers:",
             '          - url: "http://vmis-backend:10281"',
         ]
+    else:
+        lines += [
+            "  routers:",
+            f"    {code}-drive:",
+            f'      rule: "Host(`{domain}`)"',
+            f"      service: {code}-drive",
+            "      entryPoints: [websecure]",
+            "      tls:",
+            "        certResolver: letsencrypt",
+            "",
+            f"    {code}-http:",
+            f'      rule: "Host(`{domain}`)"',
+            "      entryPoints: [web]",
+            "      middlewares: [redirect-https]",
+            f"      service: {code}-drive",
+            "",
+            "  services:",
+            f"    {code}-drive:",
+            "      loadBalancer:",
+            "        servers:",
+            f'          - url: "{nc_url}"',
+        ]
 
     return "\n".join(lines) + "\n"