You just need to add them with the secondary switch i.e.
from inside of the interface config
(config-if)#ip address yyyy.yyyy.yyyy.yyyy 255.255.255.240 secondary
On your first point, the firewall portion is already setup. Those "security-level" commands that you issued for the interface took care of that. Higher levels are able to communicate with lower levels but lower levels need to be given access to resources at higher levels. To grant access, you create an access-list and assign it to an interface with the access-group command. Since you are NATing as well, you need to create some static mappings so the firewall knows where to send traffic to. I've left the DC out of my instructions because you don't need to expose anything to the DC (it's a security issue to do so). If you have remote offices that need to authenticate, setup a site to site VPN. Here's what it would look like:
access-list outside_access_in extended permit tcp any host 192.168.1.153 eq 80
access-list outside_access_in extended permit tcp any host 192.168.1.153 eq 25
access-group outside_access_in in interface outside
static (inside,outside) 192.168.1.153 192.168.2.5 netmask 255.255.255.255
You could, alternatively, use PAT instead of assigning the server its own external IP address. I recommend not doing this if possible as it is more commands to configure and keeping an email server on its own IP address helps you to not get blacklisted. If you'd like to do this, here's what you'd do (note in this configuration you have to create a static mapping for each port):
access-list outside_access_in extended permit tcp any host [external ip address of firewall] eq 80
access-list outside_access_in extended permit tcp any host [external ip address of firewall] eq 25
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 [internal ip address of server] 80 netmask 255.255.255.255
static (inside,outside) tcp interface 25 [internal ip address of server] 25 netmask 255.255.255.255
In order to enable access you just tell ssh where to listen, how to authenticate (a local database is easiest to setup), and generate a key:
ssh [ip address of main office] 255.255.255.255 outside
ssh [ip address of remote lab network] [subnet mask of remote lab network] outside
ssh [subnet of internal network] [subnet mask of internal network] inside
username companyadmin password [create a good password] privilege 15
aaa authentication ssh console LOCAL
crypto key generate rsa
EDIT
You cannot do the type of failover you're looking for on the ASA. It can failover ISP's but not hosts. What you might want to look into is Network Load Balancer on Windows or a dedicated hardware load balancer.
The first snippet of code is not about site-to-site VPN. Sorry for the confusion. It is for forwarding ports with a dedicated IP (also known as static NAT) as opposed to an IP address shared with the firewall. When it's a shared IP, it's called port address translation (PAT) because the port number and type dictates which host it's forwarded to. When you have a dedicated IP address it's called static NAT. You are already using NAT and you can use either PAT or static NAT in combination with NAT.
Best Answer
Turn off the dhcp server on the asa:
Or if you want your ASA to serve dhcp, modify the address pool to match the subnet you want your inside interface to be on:
(modify the address range as necessary)