Primary instance is lost do to DC down.
We are going to be doing a DR exercise, below is the RSA AM design
Primary Instance, Replica
Exercise - DC1 will be disconnected
1. Should I promote one of the Replicas before DR starts?
2. What is the process to get the original Primary instance back into DC1 after DR exercise?
No need to promote any of the DR replicas during the failover exercise if all applications protected by SecurID Access are pointing to the DR Authentication Manager servers as the external authentication server, as all authentication request will be redirected automatically to the DR AM servers.
However if you would like to administer the authentication manager during the DR exercise for sure you need to promote one of the replicas deployed at the DR to be the primary one , which then you can revert back everything as it was once you complete the failover exercise.
Exactly, you can simply promote back the original primary authentication manager deployed at the main site after finalizing the DR fail-over activity.
Keep in mind to use the promotion for maintenance way and not for disaster recovery.
Below is a useful link for that.