diff --git a/doc/config-reference/ch_identityconfigure.xml b/doc/config-reference/ch_identityconfigure.xml
index 3112f9af43..7812fd4798 100644
--- a/doc/config-reference/ch_identityconfigure.xml
+++ b/doc/config-reference/ch_identityconfigure.xml
@@ -90,7 +90,84 @@ options. For installation prerequisites and step-by-step walkthroughs, see the
     <xi:include href="../common/tables/keystone-zeromq.xml"/>
     <xi:include href="../common/tables/keystone-redis.xml"/>
     </section>
-
+    <section xml:id="section_keystone-domain-configs">
+      <title>Domain-specific configuration</title>
+      <para>The Identity service supports domain-specific
+        Identity drivers which allow a domain to have its
+        own LDAP or SQL back end. By default, domain-specific
+        drivers are disabled.</para>
+      <para>Domain-specific Identity configuration options can be stored in
+      domain-specific configuration files, or in the Identity SQL database
+      using API REST calls.</para>
+      <note>
+        <para>Storing and managing configuration options in
+          a SQL database is experimental in Kilo.</para>
+      </note>
+      <section xml:id="section_keystone-domain-driver-enable">
+        <title>Enable drivers for domain-specific configuration files</title>
+        <para>To enable domain-specific drivers,
+          set these options in the <filename>/etc/keystone/keystone.conf</filename>
+          file:</para>
+        <programlisting language="ini">[identity]
+domain_specific_drivers_enabled = True
+domain_config_dir = /etc/keystone/domains</programlisting>
+        <para>When you enable domain-specific drivers, Identity looks
+          in the <option>domain_config_dir</option> directory for
+          configuration files that are named as
+          <filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>.
+          Any domain without a domain-specific configuration
+          file uses options in the primary configuration file.</para>
+      </section>
+      <section xml:id="section_keystone-domain-config-file">
+        <title>Domain-specific configuration file</title>
+        <para>Any options that you define in the domain-specific
+          configuration file override options in the <filename>/etc/keystone/keystone.conf</filename>
+          configuration file.</para>
+        <para>Domains configured for the service user or project
+          use the Identity API v3 to retrieve the service token.</para>
+        <para>To configure the domain for the service user, set the
+          following options in the [DEFAULT] section of the
+          <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
+          file:</para>
+        <programlisting>admin_user_domain_id = <replaceable>USER_DOMAIN_ID</replaceable>
+admin_user_domain_name = <replaceable>USER_DOMAIN_NAME</replaceable></programlisting>
+        <para>Replace <replaceable>USER_DOMAIN_ID</replaceable> with
+          the Identity service account user domain ID, and
+          <replaceable>USER_DOMAIN_NAME</replaceable> with the Identity
+          service account user domain name.</para>
+        <para>To configure the domain for the project, set the
+          following options in the [DEFAULT] section of the
+          <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
+          file:</para>
+        <programlisting>admin_project_domain_id = <replaceable>PROJECT_DOMAIN_ID</replaceable>
+admin_project_domain_name = <replaceable>PROJECT_DOMAIN_NAME</replaceable></programlisting>
+        <para>Replace <replaceable>PROJECT_DOMAIN_ID</replaceable> with
+          the Identity service account project domain ID, and
+          <replaceable>PROJECT_DOMAIN_NAME</replaceable> with the
+          Identity service account project domain name.</para>
+      </section>
+      <section xml:id="section_keystone-domain-driver-sql">
+        <title>Enable drivers for storing configuration options in SQL database</title>
+        <para>To enable domain-specific drivers, set these options in
+          the <filename>/etc/keystone/keystone.conf</filename> file:</para>
+        <programlisting language="ini">[identity]
+domain_specific_drivers_enabled = True
+domain_configurations_from_database = True</programlisting>
+        <para>Any domain-specific configuration options specified through
+          the Identity v3 API will override domain-specific configuration files
+          in the <filename>/etc/keystone/domains</filename> directory.</para>
+      </section>
+      <section xml:id="section_keystone-domain-config-migration">
+        <title>Migrate domain-specific configuration files to the SQL database</title>
+        <para>You can use the <command>keystone-manage</command> command
+          to migrate configuration options in domain-specific configuration
+          files to the SQL database:</para>
+        <screen><prompt>$</prompt> keystone-manage domain_config_upload --all</screen>
+        <para>To upload options from a specific domain-configuration
+          file, specify the domain name:</para>
+          <screen><prompt>$</prompt> keystone-manage domain_config_upload --domain-name <replaceable>DOMAIN_NAME</replaceable></screen>
+      </section>
+    </section>
     <xi:include href="identity/section_keystone-sample-conf-files.xml"/>
     <xi:include href="conf-changes/keystone.xml"/>
 </chapter>
diff --git a/doc/config-reference/identity/section_keystone-sample-conf-files.xml b/doc/config-reference/identity/section_keystone-sample-conf-files.xml
index 4ecb6c4761..b481315b4e 100644
--- a/doc/config-reference/identity/section_keystone-sample-conf-files.xml
+++ b/doc/config-reference/identity/section_keystone-sample-conf-files.xml
@@ -41,54 +41,4 @@
             service.</para>
         <programlisting language="json"><xi:include parse="text" href="https://git.openstack.org/cgit/openstack/keystone/plain/etc/policy.json?h=stable/kilo"/></programlisting>
     </section>
-    <section xml:id="section_keystone-domain-configs">
-        <title>Domain-specific configuration</title>
-        <para>Identity enables you to configure domain-specific
-            authentication drivers which allows a domain to have its
-            own LDAP or SQL server.</para>
-        <section xml:id="section_keystone-domain-configs-enable">
-            <title>Enable domain-specific drivers</title>
-          <para>By default, the option to configure domain-specific
-            drivers is disabled. To enable domain-specific drivers,
-            set these options in the <filename>keystone.conf</filename>
-            file:</para>
-        <programlisting language="ini">[identity]
-domain_specific_drivers_enabled = True
-domain_config_dir = /etc/keystone/domains</programlisting>
-        <para>When you enable domain-specific drivers, Identity looks
-            in the <option>domain_config_dir</option> directory for
-            configuration files that are named as
-            <filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>.
-            Any domain without a domain-specific configuration
-            file uses options in the primary configuration file.</para>
-         </section>
-         <section xml:id="section_keystone-domain-config-options">
-            <title>Domain-specific configuration file options</title>
-          <para>Any options that you define in the domain-specific
-            configuration file override options in the primary
-            configuration file for the specified domain.</para>
-          <para>Domains configured for the service user or project
-            use the Identity API v3 to retrieve the service token.</para>
-          <para>To configure the domain for the service user, set the
-            following options in the [DEFAULT] section of the
-            <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
-            file:</para>
-          <programlisting>admin_user_domain_id = <replaceable>USER_DOMAIN_ID</replaceable>
-admin_user_domain_name = <replaceable>USER_DOMAIN_NAME</replaceable></programlisting>
-          <para>Replace <replaceable>USER_DOMAIN_ID</replaceable> with
-            the Identity service account user domain ID, and
-            <replaceable>USER_DOMAIN_NAME</replaceable> with the Identity
-            service account user domain name.</para>
-          <para>To configure the domain for the project, set the
-            following options in the [DEFAULT] section of the
-            <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
-            file:</para>
-          <programlisting>admin_project_domain_id = <replaceable>PROJECT_DOMAIN_ID</replaceable>
-admin_project_domain_name = <replaceable>PROJECT_DOMAIN_NAME</replaceable></programlisting>
-          <para>Replace <replaceable>PROJECT_DOMAIN_ID</replaceable> with
-            the Identity service account project domain ID, and
-            <replaceable>PROJECT_DOMAIN_NAME</replaceable> with the
-            Identity service account project domain name.</para>
-        </section>
-    </section>
 </section>