Does your new air-gap ePO server have any other devices in it's LAN that do have access to either the Internet or another UNC share?
You can set up an on-site source to update the ePO Master Repository from, since DAT updates etc are daily, this process would need to be repeated rather than just a one off event.
You could reference this previous discussion for Offline DAT updates to a Master Repository. Updating ePO DAT Repository offline
Agent Handlers are designed for Horizontal Scaling rather than distributed Repositories, and require low-latency direct access to the SQL Database, I would not recommend using these for updating the Master Repositories. A great Webinar on Agent Handlers can be found here McAfee TechTalk Webinar ePO Agent Handlers
Certified McAfee Product Specialist - ePO
I do this all the time, but first let me strongly advise you against installing anything on your domain controllers. As per best practice the only thing that you should install on your DCs are the ADDS, DNS, and DHCP roles (and perhaps a standalone CA) and nothing else. Otherwise you'll feel the pain when you try to enable ADWS and have port conflicts in the way.
That said you can easily install standalone ePO in an airgap siutation, all you need to do at a minimum is manually import the VIRUSSCAN and VIRUSSCANREPORTS extensions, check in the VSE package, and check in an ePO DAT package(i.e. avvepoXXXX) which you can download from McAfee's public security updates page. Optionally check in the updated scan engines, patches, etc and your product deployment tasks will take care of the rest.