The most secure way would be to establish a remote vpn connection and then allow ssh access via the IPSec tunnel. Otherwisw, you can configure ssh access on the outside interface:
asa(config)# crypto key generate rsa
asa(config)#ssh [outside public ip address] 255.255.255.255 outside
asa(config)#ssh version 2
asa(config)# ssh timeout 5 (can be any value between 1 and 60, for minutes)
asa# show ssh sessions (to show current sessions)
to rdp into a domain controller: (not recommended to open outside ports into a dc)
you should do this via vpn
you would need to statically map a public address for the dc with static nat:
static (inside,outside) [public address of the dc] inside lan address of dc netmask 255.255.255.255
then allow rdp through the asa from the outside:
access-list outside_in permit tcp any host [public address of dc] eq 3389
then bind the access-list to the outside interface:
access-group outside_in in interface outside
This is not a complete asa configuration, just how to allow access to this dc from the outside
Again, this is not recommended, so I would configure the vpn and then access all your internal lan hosts via a secure vpn tunnel