Agree with @Bob_Zimmerman. You need to review your RPO/RTO policies. How long is Site A "down" before you declare "DR Event"? Then when "DR Event" is declared, how long will you need to get basic networking services online? How much is currently offline, and how long before basic network services are online? During the state change are any firewall/VPN/routing changes required?
Plus, having the HA mgmt in Site B allows you to do general maintenance on Site A without worries, or do your dry(-ish) run exercises. Just because a CRL check is "every 24 hours", keep in mind that the last CRL check was not "24 hours ago from this moment in time." The last CRL check was (for example) 14 hours ago. You only have 10 hours remaining before that next CRL check! Don't go with "ok, we got 24 hours; good enough". This is a common fallacy. Nope, you're already 14 or 19 or 23 hours into that last retry.
All of these tiny details are always overlooked when people do "DR planning". I see it ALL. THE. TIME. No one ever understands what the "D" in "DR" is.... until it happens. You need to plan on this with the expectation that your management server has vanished and is unrecoverable. Thanos just snapped it out of existence. Now what are you going to do? Has your SAN or SRM been Thanos-snapped, too? You need to plan as if an asymmetric 50% of your infrastructure disappeared.
Tabletop exercises are great, and each time you do, you need to use different Choose Your Own Adventure paths. I absolutely positively would not rely on vCenter to be your DR plan for the things that are responsible for your network and perimeter OAM services. vCenter requires ESX, and SAN, and iSCSI connectors via fabric connectors (be it Ethernet or FibreChannel or whatever). If you have an entire vCenter/ESX/SAN stack in Site B, that's fine. Just don't plan to "move Site A to Site B during DR event" (had a customer try that... they underestimated).
You said you had a "hot backup" and that is FANTASTIC! 👏👏 I always recommend having OAM things be hot in Site B. Even if you don't need a policy change, you will have your logs! You will have your visibility, and when everyone comes screaming at you about "The Firewall", you have logs to prove "nope, it isn't me." Even better, you will have a jump host to SSH to your firewalls in Site B. You have the BGP routes to the ISP and local LANs. You'll have your backup local VPN user, too. You have access, you have your things at the ready. Everyone is coming to you for those logs or to troubleshoot routing, VPN, etc. But you can play it cool, because you had a hot management server at the ready. 8) Let the server team scramble and fall over themselves trying to figure out why they had a misconfigured VLAN on vCenter. 🫣
