diff --git a/doc/4.3-object-types.md b/doc/4.3-object-types.md
index 2c51cbd08..4152fe69a 100644
--- a/doc/4.3-object-types.md
+++ b/doc/4.3-object-types.md
@@ -118,6 +118,7 @@ Attributes:
   notifications   |**Optional.** Inline definition of notifications. Each dictionary item specifies a notification.<br /><br />The `templates` attribute can be used to specify an array of templates that should be inherited by the notification object.<br /><br />The new notification object's name is "hostname:service:notification" - where "notification" is the dictionary key in the notifications dictionary.
   dependencies    |**Optional.** Inline definition of dependencies. Each dictionary item specifies a dependency.<br /><br />The `templates` attribute can be used to specify an array of templates that should be inherited by the dependency object.<br /><br />The new dependency object's name is "hostname:service:dependency" - where "dependency" is the dictionary key in the dependencies dictionary.
   authorities     |**Optional.** A list of Endpoints on which this service check will be executed in a cluster scenario.
+  domains         |**Optional.** A list of Domains for this service object in a cluster scenario.
 
 ### <a id="objecttype-servicegroup"></a> ServiceGroup
 
@@ -950,14 +951,32 @@ Attributes:
 
 ### <a id="objecttype-domain"></a> Domain
 
-TODO
+A [Service](#objecttype-service) object can be restricted using the `domains` attribute
+array specifying endpoint privileges.
+
+A Domain object specifices the ACLs applied for each [Endpoint](#objecttype-endpoint).
 
 Example:
 
-    TODO
+    object Domain "dmz-1" {
+      acl = {
+        node1 = (DomainPrivCheckResult),
+        node2 = (DomainPrivReadWrite)
+      }
+    }
 
 Attributes:
 
   Name            |Description
   ----------------|----------------
-  acl             |TODO
+  acl             |**Required.** Dictionary with items for Domain ACLs.
+
+Domain ACLs:
+
+  Name                  |Description
+  ----------------------|----------------
+  DomainPrivRead        | Endpoint reads local messages and relays them to remote nodes.
+  DomainPrivCheckResult | Endpoint accepts check result messages from remote nodes.
+  DomainPrivCommand     | Endpoint accepts command messages from remote nodes.
+  DomainPrevReadOnly    | Endpoint reads local messages and relays them to remote nodes.
+  DomainPrivReadWrite   | Combination of (DomainPrivRead | DomainPrivCheckResult | DomainPrivCommand)
diff --git a/doc/6-advanced-topics.md b/doc/6-advanced-topics.md
index a67e26a8c..a05581dff 100644
--- a/doc/6-advanced-topics.md
+++ b/doc/6-advanced-topics.md
@@ -244,7 +244,7 @@ to send configuration files.
 A sample config part can look like this:
 
     /**
-     * Configure endpoints for cluster configuration
+     * Configure config master endpoint
      */
 	
     object Endpoint "icinga-node-1" {
@@ -256,6 +256,18 @@ A sample config part can look like this:
 If you update the configuration files on the configured file sender, it will
 force a restart on all receiving nodes after validating the new config.
 
+A sample config part for a config receiver endpoint can look like this:
+
+    /**
+     * Configure config receiver endpoint
+     */
+
+    object Endpoint "icinga-node-2" {
+      host = "icinga-node-2.localdomain",
+      port = 8888,
+      accept_config = [ "icinga-node-1" ]
+    }
+
 By default these configuration files are saved in /var/lib/icinga2/cluster/config.
 
 In order to load configuration files which were received from a remote Icinga 2
@@ -332,6 +344,38 @@ the Icinga 2 daemon.
 
     # icinga2 -c /etc/icinga2/node1/icinga2.conf -DIcingaLocalStateDir=/opt/node1/var
 
+## <a id="domains"></a> Domains
+
+A [Service](#objecttype-service) object can be restricted using the `domains` attribute
+array specifying endpoint privileges.
+A Domain object specifices the ACLs applied for each [Endpoint](#objecttype-endpoint).
+
+The following example assigns the domain `dmz-db` to the service `dmz-oracledb`. Endpoint
+`icinga-node-dmz-1` does not allow any object modification (no commands, check results) and only
+relays local messages to the remote node(s). The endpoint `icinga-node-dmz-2` processes all
+messages read and write (accept check results, commands and also relay messages to remote
+nodes).
+
+That way the service `dmz-oracledb` on endpoint `icinga-node-dmz-1` will not be modified
+by any cluster event message, and could be checked by the local authority too presenting
+a different state history. `icinga-node-dmz-2` still receives all cluster message updates
+from the `icinga-node-dmz-1` endpoint.
+
+    object Host "dmz-host1" inherits "generic-host" {
+      services["dmz-oracledb"] = {
+        templates = [ "generic-service" ],
+        domains = [ "dmz-db" ],
+        authorities = [ "icinga-node-dmz-1", "icinga-node-dmz-2"],
+      }
+    }
+
+    object Domain "dmz-db" {
+      acl = {
+        icinga-node-dmz-1 = (DomainPrivReadOnly),
+        icinga-node-dmz-2 = (DomainPrivReadWrite)
+      }
+    }
+
 ## <a id="dependencies"></a> Dependencies
 
 Icinga 2 uses host and service [Dependency](#objecttype-dependency) objects either directly
diff --git a/lib/base/dynamicobject.cpp b/lib/base/dynamicobject.cpp
index c5dc5e8ef..fe93751d7 100644
--- a/lib/base/dynamicobject.cpp
+++ b/lib/base/dynamicobject.cpp
@@ -53,7 +53,7 @@ void DynamicObject::StaticInitialize(void)
 	ScriptVariable::Set("DomainPrivCheckResult", DomainPrivCheckResult, true, true);
 	ScriptVariable::Set("DomainPrivCommand", DomainPrivCommand, true, true);
 
-	ScriptVariable::Set("DomainPrevReadOnly", DomainPrivRead, true, true);
+	ScriptVariable::Set("DomainPrivReadOnly", DomainPrivRead, true, true);
 	ScriptVariable::Set("DomainPrivReadWrite", DomainPrivRead | DomainPrivCheckResult | DomainPrivCommand, true, true);
 }