I contacted Office 365's technical support and, between us, we discovered that there seems to be a bug / incompatibility between Azure AD Connect 1.1.647.0 and Active Directory domain controllers running Windows Server (2012 R2) Essentials or Standard with Essentials, possibly due to an Essentials-implemented password filter.
We've worked around the problem by installing Azure AD Connect 1.1.443.0. Auto upgrades shouldn't be a problem because the credentials are already set.
The engineer said that he's going to contact the development team to get this fixed in a future release.
Update 2017/10/31:
Installing Azure AD Connect 1.1.647.0 and 1.1.443.0 on a Domain Controller server running Windows Server 2012 R2 Standard with Windows Server Essentials (not the same as Windows Server 2012 R2 Essentials) failed with a very similar error.
Again, I contacted Office 365's technical support and, ultimately, we had to create and use a dedicated service account. https://blog.kloud.com.au/2014/12/18/aadsync-ad-service-account-delegated-permissions/ | Password Synchronisation
was very helpful in doing so - all you need to do is replace the down-level username.
Update 2017/11/01:
Installing Azure AD Connect 1.1.649.0 (released on 2017/10/27) on a server running Windows Server 2012 R2 Standard but in a Windows Server 2012 R2 Essentials Active Directory environment encountered the same errors so the problem still isn't fixed.