• When attempting to import a brownfield Workload Domain into VCF (specifically VCF Operations/SDDC Manager 9.x), the process fails during the inventory synchronization stage.
• Error message on the SDDC manager UI

  Import operation for import with id ######-###-###-###-############ failed internally. Command was python3 /opt/vmware/vcf/domainmanager/scripts/vcf-import-tool/vcf_brownfield.py import --skip-ssh-thumbprint-validation --sso-user [email protected] --domain-name <domain_name> --vcenter <vCenter> --internal-vcf-auth --nsx-deployment-spec-path /tmp/nsxDeploymentSpec.json --skip-nsx-overlay --output-dir /var/log/vmware/vcf/domainmanager/brownfield/######-###-###-###-############/ --non-interactive. Please check the log files

• Domain manager logs shows following error /var/log/vmware/vcf/domainmanager/domainmanager.log

   ERROR [vcf_dm,#############] [c.v.e.s.o.model.error.ErrorFactory,dm-###-22]  [####] IMPORT_OPERATION_FAILED Import operation for import with id ######-###-###-###-######## failed internally. Command was python3 /opt/vmware/vcf/domainmanager/scripts/vcf-import-tool/vcf_brownfield.py import --skip-ssh-thumbprint-validation --sso-user  [email protected] --domain-name <Domainame> --vcenter <vCenter FQDN> --internal-vcf-auth --nsx-deployment-spec-path /tmp/nsxDeploymentSpec.json --skip-nsx-overlay --output-dir /var/log/vmware/vcf/domainmanager/brownfield/######-###-###-###-########/ --non-interactive. Please check the log files located in /var/log/vmware/vcf/domainmanager/brownfield/######-###-###-###-########/ on the SDDC Manager appliance
   

• Error in /var/log/vmware/vcf/domainmanager/brownfield/######-###-###-###-############ /vcf_brownfield.log

  [ERROR] request_helper:31: Result status code from ESC[91minventory import: 500ESC[00m
  [CRITICAL] import_domain:200: Could not import the information for the new domain in SDDC Manager: Could not import inventory into SDDC Manager. Please review '/var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log' for further details.

• Error in /var/log/vmware/vcf/domainmanager/brownfield/######-####-####-####-#########/output/guardrails_report_############.csv

   "error_code": "OPERATION_ISSUE",
        "message": "ESXi service account svc-<hostname> already exists. Updating it with the new password",
        "remediation_message": null,
        "severity": "WARNING"
       

VMware Cloud Foundation 9.x

The VCF automation creates dedicated service accounts (formatted as svc-<hostname>) on each ESXi host to facilitate secure communication between the SDDC Manager and the physical layer. The validation failure occurs because these accounts were detected as already existing on the target hosts. This is typically caused by:

• A previous failed attempt to import the Workload Domain that was not properly cleaned up.
• Residual configuration from a host that was decommissioned from VCF but did not have its local users purged.

VCF requires these accounts to be managed exclusively by its own internal password rotation and lifecycle policy. If an account already exists, the automation cannot verify its state or permissions, leading to a "Guardrail" failure to prevent security and synchronization conflicts.

To resolve this issue, you must manually remove the stale service accounts from each ESXi host in the cluster intended for import.

Method 1: vSphere Client (GUI)

1. Log in to the vCenter Server and select an affected ESXi host.

2. Navigate to Configure > System > Users and Groups.

3. Locate the user account starting with the prefix svc- (e.g., svc-esxi01).

4. Select the user and click Remove.

5. Repeat this process for every host in the cluster.

Method 2: ESXi Command Line (SSH)

For environments with many hosts, use the following command to remove the user via SSH: