LPIC-2 Certification Guide: Advanced Linux Administration
LPIC-2 is the second level of the Linux Professional Institute certification program. It validates advanced system administration skills — the ability to plan, implement, and maintain a Linux network infrastructure.
You must hold a current LPIC-1 certification before taking the LPIC-2 exams.
Exam Overview
| Exam | Code | Duration | Questions | Passing Score |
|---|---|---|---|---|
| Linux System Administrator 1 | 201-450 | 90 minutes | 60 | 500 / 800 |
| Linux System Administrator 2 | 202-450 | 90 minutes | 60 | 500 / 800 |
Exam 201-450: Topics and Weighting
Topic 200: Capacity Planning (weight 6)
- Measure and troubleshoot resource usage
- Predict future capacity needs
Topic 201: Linux Kernel (weight 6)
- Kernel components and compilation
- Kernel runtime management and troubleshooting
Topic 202: System Startup (weight 6)
- Customizing system startup (systemd)
- System recovery and boot process troubleshooting
Topic 203: Filesystem and Devices (weight 9)
- RAID configuration and management
- Filesystem access and storage management
- Logical Volume Manager (LVM)
Topic 204: Advanced Storage Administration (weight 5)
- iSCSI configuration
- SAN and NAS integration
Topic 205: Networking Configuration (weight 12)
- Basic networking configuration and verification
- Advanced network configuration (bonding, bridging)
- Troubleshooting network issues
Topic 206: System Maintenance (weight 5)
- Backup and restore operations
- Backup strategy design
Exam 202-450: Topics and Weighting
Topic 207: Domain Name Server (DNS, weight 8)
- BIND configuration and management
- DNS troubleshooting and security
Topic 208: HTTP Services (weight 7)
- Apache and Nginx configuration
- HTTPS and SSL/TLS setup
- Reverse proxy configuration
Topic 209: File Sharing (weight 6)
- Samba configuration
- NFS server configuration
Topic 210: Network Client Management (weight 4)
- DHCP configuration
- PAM authentication
Topic 211: E-Mail Services (weight 5)
- Postfix configuration
- Mail delivery and filtering
Topic 212: System Security (weight 15)
- OpenVPN and IPsec configuration
- Firewall management (iptables, nftables)
- SSH server security
- Security auditing and hardening
Key Concepts by Topic
Topic 200 — Capacity Planning (Weight 6)
Managing system resources and planning for growth:
vmstat— Virtual memory statistics:r(running processes),b(blocked),swpd,cache,si/so(swap in/out),bi/bo(block I/O).iostat— CPU and I/O statistics per device.iostat -x 2for extended stats every 2 seconds.sar— Historical performance data collection. Requiressysstatpackage. Data in/var/log/sysstat/.netstat/ss— Network connection statistics.ss -tulnfor listening ports,ss -sfor summary.mpstat -P ALL— Per-CPU usage breakdown.pidstat— Per-process resource usage.- Capacity planning involves collecting baseline data, identifying trends over weeks/months, and predicting when resources will be exhausted.
Topic 201 — Linux Kernel (Weight 6)
Managing the kernel at runtime and compilation:
uname -r— Current kernel version.uname -afor full details./proc/sys/— Runtime kernel parameters. Persistent changes go in/etc/sysctl.confor/etc/sysctl.d/.sysctl -a— List all kernel parameters.sysctl -w net.ipv4.ip_forward=1sets temporarily.- Kernel modules:
lsmod,modprobe,modinfo,insmod,rmmod. Module config in/etc/modprobe.d/. depmod— Generate modules.dep and map files for module dependency resolution.dmesg— Kernel ring buffer messages.dmesg -wfor real-time tail.- Compiling a kernel (less common now, but tested):
make menuconfig,make -j$(nproc),make modules_install,make install. /boot/— Containsvmlinuz-*,initrd.img-*,System.map-*, GRUB config.udevadm— udev management tool.udevadm info --query=all --name=/dev/sda,udevadm monitor.
Topic 202 — System Startup (Weight 6)
Boot process management and recovery:
systemd-analyze— Boot performance.systemd-analyze blamefor per-service timing.systemd-analyze critical-chain— Shows the boot dependency chain and which service is slowest.journalctl -b— View logs from current boot.journalctl -b -1for previous boot.- GRUB configuration:
/etc/default/grub, thenupdate-gruborgrub-mkconfig -o /boot/grub/grub.cfg. - Recovery: Boot from rescue media → chroot into system → fix GRUB, initramfs, or packages.
initramfs: Temporary root filesystem loaded before the real root. Rebuild withupdate-initramfs -u.- Systemd targets:
rescue.target(single-user),emergency.target(minimal shell),multi-user.target,graphical.target. systemctl mask <service>— Prevent a service from starting under any condition.reboot --force/systemctl reboot --force— Force reboot without clean shutdown.
Topic 203 — Filesystem and Devices (Weight 9)
RAID, LVM, and advanced filesystem management:
- Software RAID with
mdadm:mdadm --create /dev/md0 --level=5 --raid-devices=4 /dev/sd[b-e]. mdadm --detail /dev/md0— Check RAID status.--fail,--remove,--addfor disk replacement./proc/mdstat— Real-time RAID status and rebuild progress.- LVM:
pvcreate→vgcreate→lvcreate. Extend withlvextend -L +5G /dev/vg_name/lv_name. lvresize/lvreduce— Resize logical volumes (filesystem must be resized separately).pvmove— Move physical extents between PVs for storage migration.- LVM snapshots:
lvcreate -s -L 1G -n snap /dev/vg/origin— copy-on-write, ideal for backups. resize2fs/xfs_growfs— Grow filesystem to fill resized logical volume.fsck— Filesystem check. Never run on mounted filesystems (except read-only for some types).tune2fs -l /dev/sda1— List ext2/3/4 superblock information.
Topic 204 — Advanced Storage Administration (Weight 5)
iSCSI, SAN, and NAS:
- iSCSI initiator:
iscsiadm -m discovery -t sendtargets -p 192.168.1.100, theniscsiadm -m node --login. - iSCSI target:
targetclion the server side creates backstores (fileio, block, ramdisk) and LUNs. - iSCSI CHAP authentication: Configure mutual or one-way CHAP usernames/passwords in
/etc/iscsi/iscsid.conf. multipath -ll— List active multipath devices. Requiresdevice-mapper-multipathpackage./etc/multipath.conf— Multipath configuration with aliases, blacklists, and failover policies.- NAS vs SAN: NAS serves files (NFS/CIFS), SAN serves blocks (iSCSI/Fibre Channel).
Topic 205 — Networking Configuration (Weight 12)
Advanced networking:
ip addr/ip link/ip route— Modern networking commands (replacingifconfig).- Network bonding:
/etc/network/interfacesornmclito create a bond of two+ interfaces.- Modes:
balance-rr(round-robin),active-backup(failover),802.3ad(LACP),balance-tlb.
- Modes:
- Bridging:
brctl addbr br0,brctl addif br0 eth0(orip link set dev eth0 master br0). - VLAN tagging:
ip link add link eth0 name eth0.100 type vlan id 100. - Policy routing:
ip ruleand multiple routing tables in/etc/iproute2/rt_tables. ss -tuln— Replacement fornetstat -tuln. Shows all listening TCP/UDP ports.tcpdump -i eth0 port 80— Packet capture.-nfor no DNS resolution,-w fileto save.nmcli— NetworkManager command line.nmcli con show,nmcli dev status.- IPv6: EUI-64, SLAAC, DHCPv6, privacy extensions.
ip -6 addr,ip -6 route.
Topic 206 — System Maintenance (Weight 5)
Backup and recovery:
- Backup tools:
tar,rsync,dd,dump/restore,s3cmd,duplicity. rsync -avz /source/ user@host:/dest/— Incremental remote sync.--deleteremoves destination files not in source.dd if=/dev/sda of=/backup/mbr.img bs=512 count=1— Backup MBR (first 512 bytes).- Backup strategies: Full, incremental, differential. GFS (Grandfather-Father-Son) rotation scheme.
du -sh /var/df -h— Disk usage and free space monitoring.
Topic 207 — DNS (Weight 8)
BIND configuration, zones, and troubleshooting:
- BIND configuration:
/etc/named.conf(or/etc/bind/named.conf). Zone files in/var/named/. - Zone types:
master(primary),slave(secondary, replicates from master),forward(forwards queries). dig example.com A/dig -x 192.0.2.1(PTR lookup).dig +trace example.comfollows delegation chain.nslookup/host— Simpler DNS lookup tools.rndc reload— Reload BIND configuration without restart.rndc statusfor server state.- DNSSEC:
dnssec-keygen,dnssec-signzone, DS records, trust anchors. - Split-horizon DNS: Different views in BIND serve different answers based on client IP.
/etc/resolv.conf— Client-side resolver configuration.search,nameserver,options rotate.nscd/systemd-resolved— DNS caching services.
Topic 208 — HTTP Services (Weight 7)
Apache and Nginx:
- Apache: Virtual hosts (
<VirtualHost>), modules (a2enmod/a2dismodon Debian),.htaccess.- MPMs:
prefork,worker,event. Check withapachectl -V | grep MPM. - SSL:
SSLEngine on,SSLCertificateFile,SSLCertificateKeyFile.
- MPMs:
- Nginx: Server blocks,
locationblocks, reverse proxy withproxy_pass.nginx -t— Test configuration before reloading.nginx -s reloadfor graceful reload.- SSL:
ssl_certificate,ssl_certificate_key,ssl_protocols,ssl_ciphers.
- Reverse proxy: Apache
ProxyPass/ Nginxproxy_passforwards requests to backend servers. - TLS/SSL: Let's Encrypt automation with
certbot, OpenSSL commands for CSR generation and key management. - Performance tuning:
KeepAlive, caching, gzip compression, worker processes/connections.
Topic 209 — File Sharing (Weight 6)
Samba and NFS:
- Samba:
/etc/samba/smb.conf. Global settings in[global], shares in[sharename].smbpasswd -a user— Add Samba user.pdbedit -Lto list users.security = user/ads/domain— Authentication modes.testparm— Validate smb.conf before restarting.smbstatus— Active connections and locked files.
- NFS:
/etc/exportsdefines exported directories.exportfs -rto reload.- NFSv4:
mount -t nfs4 server:/export /mnt. Usesrpc.idmapdfor UID/GID mapping. showmount -e server— List NFS exports on a server.rpcinfo -p server— List RPC services (portmapper, nfs, mountd, nlockmgr).
- NFSv4:
- autofs: Automatic mount-on-access. Config in
/etc/auto.masterand map files.
Topic 210 — Network Client Management (Weight 4)
DHCP and PAM:
- DHCP server (ISC DHCP):
/etc/dhcp/dhcpd.conf. Define subnet, range, options (routers, DNS).dhcpd -t— Test configuration.dhcpd -ffor foreground/debug mode.- Relay agent (
dhcrelay) forwards DHCP requests across subnets.
- PAM (Pluggable Authentication Modules):
/etc/pam.d/controls authentication for each service.- Module types:
auth,account,session,password. - Control flags:
requisite,required,sufficient,optional. - Common modules:
pam_unix.so,pam_ldap.so,pam_krb5.so,pam_limits.so. pam_tally2/pam_faillock— Account lockout after failed attempts.
- Module types:
Topic 211 — E-Mail Services (Weight 5)
Postfix configuration and mail handling:
- Postfix:
/etc/postfix/main.cf. Key parameters:myhostname,mydomain,myorigin,mydestination.postfix check— Verify configuration.postfix reloadfor safe reload.mailq— View mail queue.postsuper -d ALLto delete all queued messages.- Relay control:
mynetworks(trusted clients),relayhost(smart host).
- Spam filtering:
SpamAssassinwithamavisd-new, orrspamd. - DKIM:
opendkim-genkey→ DNS TXT record →opendkimfilter in Postfix. - Mail retrieval: Dovecot (IMAP/POP3),
mailx/muttfor local mail reading.
Topic 212 — System Security (Weight 15)
Firewalls, VPNs, SSH, and auditing:
- nftables (modern replacement for iptables):
nft add rule inet filter input tcp dport 22 accept.- Tables, chains, rules:
nft list rulesetshows all rules. Configuration in/etc/nftables.conf.
- Tables, chains, rules:
- iptables (legacy but still tested):
iptables -A INPUT -p tcp --dport 22 -j ACCEPT.iptables-save/iptables-restorefor persistence.iptables -L -n -vto list rules.
- firewalld: Zones, services, rich rules.
firewall-cmd --zone=public --add-service=http --permanent. - OpenVPN: TUN/TAP interfaces, certificates,
server.conf/client.conf.openvpn --genkey --secret static.keyfor static key. PKI with EasyRSA for full CA.
- IPsec with
strongSwanorlibreswan: IKEv1/IKEv2, certificates, PSK. - SSH hardening:
PermitRootLogin no,PasswordAuthentication no,PubkeyAuthentication yes.- Key types: RSA (4096+), Ed25519 (preferred), ECDSA.
ssh-keygen -t ed25519. sshd -T— Test current SSH server configuration.
- Key types: RSA (4096+), Ed25519 (preferred), ECDSA.
fail2ban: Ban IPs after repeated failures. Jails for SSH, Apache, Postfix.- Security auditing:
auditdwith audit rules in/etc/audit/audit.rules.ausearch/aureport— Search and report on audit logs.chkrootkit/rkhunter— Rootkit detection.aide— File integrity monitoring. Initialize:aide --init, compare:aide --check.
openssl:openssl s_client -connect host:443for TLS testing.openssl req -new -newkey rsa:2048 -keyout key.pem -out csr.pem— Generate CSR.
Study Plan
6-Week Intensive Plan
| Week | Focus | Topics | Time |
|---|---|---|---|
| 1 | Kernel + Startup + Capacity | 200, 201, 202 | 10 hours |
| 2 | Storage (RAID, LVM, iSCSI) | 203, 204 | 10 hours |
| 3 | Networking + Maintenance | 205, 206 | 8 hours |
| 4 | DNS + HTTP | 207, 208 | 10 hours |
| 5 | File Sharing + DHCP + PAM + Mail | 209, 210, 211 | 10 hours |
| 6 | Security + Full Review | 212 + all topics | 12 hours |
Lab Setup
LPIC-2 requires hands-on practice. Set up:
- At least 3 Linux VMs (recommended: Debian/Ubuntu + CentOS/Rocky)
- A separate network for them (NAT + host-only)
- Practice scenarios: Set up a mail server from scratch, configure BIND with DNSSEC, build a RAID5+LVM storage array, configure firewalld with rich rules, set up OpenVPN site-to-site
Exam Registration
- Register at LPI's website or Pearson VUE
- Cost: Approximately $200 per exam. LPI offers bundle pricing for both exams.
- Prerequisite: You must hold a current LPIC-1 certification
- Delivery: Pearson VUE test centers or online proctoring
- Validity: LPIC-2 certification is valid for 5 years from the pass date of the second exam
- Retake policy: 24-hour wait after first failure, 7 days after subsequent failures
Study Recommendations
Prerequisites
Before attempting LPIC-2, you should have solid LPIC-1 knowledge, including:
- Confident command-line proficiency
- Understanding of filesystem hierarchy and permissions
- Basic shell scripting ability
- Networking fundamentals (TCP/IP, DNS)
Recommended Approach
- Review LPIC-1 material if you haven't practiced recently — LPIC-2 builds on everything
- Set up a lab network — at least two Linux VMs in a private network
- Practice every service — BIND, Apache, Postfix, Samba, OpenVPN
- Use practical projects — set up a mail server, configure a firewall from scratch, build a RAID array with LVM
Test Your Knowledge with Practice Exams
Ready to put this knowledge to the test? Our LPI practice portal includes 200+ realistic questions covering LPIC-1, LPIC-2, LPIC-3, and DevOps Tools Engineer certifications. Study mode, timed exams, domain breakdowns, and weak-area analysis included.
Related Articles
- LPIC-2 201-450 Deep Dive — Detailed commands and examples for the 201-450 exam objectives
- LPIC-2 202-450 Deep Dive — Detailed commands and examples for the 202-450 exam objectives
- LPIC-1 Certification Guide — Start here if you haven't taken LPIC-1 yet
- LPI DevOps Tools Engineer — DevOps specialization
- 50 Free LPIC-2 Practice Questions — Test your knowledge across all LPIC-2 topics
- LPIC vs RHCSA vs CompTIA Linux+ — Which certification path is right for you?
- Browse All LPI Resources — Full library of study guides, deep dives, and practice questions